Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
steel.exe.3.exe

Overview

General Information

Sample name:steel.exe.3.exe
Analysis ID:1577455
MD5:db153670ed84a7e848fa356e7aecc80d
SHA1:7c6be83fc3b7af9c5980c6d46a4a604b7c878ebd
SHA256:ba58d3f14d7e106b3ad8d60501bdbcaf19506731b5085d478d9a0887e6b0b524
Tags:bulletproofexeuser-abus3reports
Infos:

Detection

Socks5Systemz
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • steel.exe.3.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\steel.exe.3.exe" MD5: DB153670ED84A7E848FA356E7AECC80D)
    • steel.exe.3.tmp (PID: 7812 cmdline: "C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp" /SL5="$1044A,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe" MD5: 192CB1EFDC38E560F417C173410B8749)
      • mediacodecpack3.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -i MD5: 1BADA3AB49364C26DA68D41031611AC7)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-H9I2V.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        SourceRuleDescriptionAuthorStrings
        00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000002.00000002.3209734982.00000000058E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000003.00000000.1374989134.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000003.00000002.3210153600.0000000002B63000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                Process Memory Space: mediacodecpack3.exe PID: 7872JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                  SourceRuleDescriptionAuthorStrings
                  3.0.mediacodecpack3.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:53:32.123965+010020287653Unknown Traffic192.168.2.1149977188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-18T13:53:32.813853+010028032742Potentially Bad Traffic192.168.2.1149977188.119.66.185443TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c325Avira URL Cloud: Label: malware
                    Source: https://188.119.66.185/ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d605633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd0348bAvira URL Cloud: Label: malware
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
                    Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,2_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0045D254 ArcFourCrypt,2_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0045D23C ArcFourCrypt,2_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_10001000 ISCryptGetVersion,2_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_10001130 ArcFourCrypt,2_2_10001130

                    Compliance

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeUnpacked PE file: 3.2.mediacodecpack3.exe.400000.0.unpack
                    Source: steel.exe.3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.11:49977 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-SB58A.tmp.2.dr
                    Source: Binary string: msvcr71.pdb< source: is-R9F0A.tmp.2.dr
                    Source: Binary string: msvcp71.pdb source: is-SB58A.tmp.2.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-4MERI.tmp.2.dr
                    Source: Binary string: msvcr71.pdb source: is-R9F0A.tmp.2.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00452A60 FindFirstFileA,GetLastError,2_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,2_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00462750 FindFirstFileA,FindNextFileA,FindClose,2_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00463CDC
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.11:49977 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49977 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d605633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd0348b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_00852B95 WSASetLastError,WSARecv,WSASetLastError,select,3_2_00852B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d605633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd0348b HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: steel.exe.3.tmp, 00000002.00000002.3209734982.00000000059AC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000000.1375126393.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, is-H9I2V.tmp.2.dr, MediaCodecPack.exe.3.dr, mediacodecpack3.exe.2.drString found in binary or memory: http://wonderwork.ucoz.com/
                    Source: steel.exe.3.tmp, steel.exe.3.tmp, 00000002.00000000.1355532353.0000000000401000.00000020.00000001.01000000.00000004.sdmp, steel.exe.3.tmp.1.dr, is-EQB8P.tmp.2.drString found in binary or memory: http://www.innosetup.com/
                    Source: steel.exe.3.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: steel.exe.3.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: steel.exe.3.exe, 00000001.00000003.1355051581.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354903008.0000000002300000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, steel.exe.3.tmp, 00000002.00000000.1355532353.0000000000401000.00000020.00000001.01000000.00000004.sdmp, steel.exe.3.tmp.1.dr, is-EQB8P.tmp.2.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: steel.exe.3.exe, 00000001.00000003.1355051581.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354903008.0000000002300000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000000.1355532353.0000000000401000.00000020.00000001.01000000.00000004.sdmp, steel.exe.3.tmp.1.dr, is-EQB8P.tmp.2.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/4.
                    Source: mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c325
                    Source: steel.exe.3.exe, 00000001.00000002.3208961823.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354461650.0000000002300000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354559731.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000003.1356634579.0000000002128000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000003.1356547273.0000000003140000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000002.3208888817.0000000000692000.00000004.00000020.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000002.3209193503.0000000002128000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.11:49977 version: TLS 1.2
                    Source: is-4MERI.tmp.2.drBinary or memory string: DirectDrawCreateExmemstr_01d9740f-e
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0042F520 NtdllDefWindowProc_A,2_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00423B84 NtdllDefWindowProc_A,2_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004125D8 NtdllDefWindowProc_A,2_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00478AC0 NtdllDefWindowProc_A,2_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,2_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_0042E934
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555E4
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_0040840C1_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004706A82_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004809F72_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004352C82_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004673A42_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0043DD502_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0043035C2_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004444C82_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004345C42_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00444A702_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00486BD02_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00430EE82_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0045F0C42_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004451682_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0045B1742_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004694042_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004455742_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004519BC2_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00487B302_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0048DF542_2_0048DF54
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_004010003_2_00401000
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_004067B73_2_004067B7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609660FA3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6092114F3_2_6092114F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6091F2C93_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096923E3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6093323D3_2_6093323D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095C3143_2_6095C314
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609503123_2_60950312
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094D33B3_2_6094D33B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6093B3683_2_6093B368
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096748C3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6093F42E3_2_6093F42E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609544703_2_60954470
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609615FA3_2_609615FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096A5EE3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096D6A43_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609606A83_2_609606A8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609326543_2_60932654
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609556653_2_60955665
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094B7DB3_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6092F74D3_2_6092F74D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609648073_2_60964807
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094E9BC3_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609379293_2_60937929
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6093FAD63_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096DAE83_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094DA3A3_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60936B273_2_60936B27
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60954CF63_2_60954CF6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60950C6B3_2_60950C6B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60966DF13_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60963D353_2_60963D35
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60909E9C3_2_60909E9C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60951E863_2_60951E86
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60912E0B3_2_60912E0B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60954FF83_2_60954FF8
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_008670C03_2_008670C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0085E07E3_2_0085E07E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_00872A803_2_00872A80
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0086BAFD3_2_0086BAFD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0086D32F3_2_0086D32F
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_00870DB43_2_00870DB4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0086B6093_2_0086B609
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0087267D3_2_0087267D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0086BF153_2_0086BF15
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0086874A3_2_0086874A
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\MediaCodecPack\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: String function: 004460A4 appears 59 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: String function: 00872A10 appears 135 times
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: String function: 00867760 appears 32 times
                    Source: steel.exe.3.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: steel.exe.3.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: steel.exe.3.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-EQB8P.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-EQB8P.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-EQB8P.tmp.2.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: sqlite3.dll.3.drStatic PE information: Number of sections : 19 > 10
                    Source: is-JD8V3.tmp.2.drStatic PE information: Number of sections : 19 > 10
                    Source: steel.exe.3.exe, 00000001.00000003.1355051581.0000000002088000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs steel.exe.3.exe
                    Source: steel.exe.3.exe, 00000001.00000003.1354903008.0000000002300000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs steel.exe.3.exe
                    Source: steel.exe.3.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal92.troj.evad.winEXE@5/26@0/1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0085F8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_0085F8D0
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,2_2_00455E0C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00401CF9
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0046E0E4 GetVersion,CoCreateInstance,2_2_0046E0E4
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,1_2_00409C34
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0040DEE9 StartServiceCtrlDispatcherA,3_2_0040DEE9
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmpJump to behavior
                    Source: Yara matchFile source: 3.0.mediacodecpack3.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3209734982.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.1374989134.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-H9I2V.tmp, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: mediacodecpack3.exe, mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: mediacodecpack3.exe, mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: mediacodecpack3.exe, mediacodecpack3.exe, 00000003.00000003.1677286706.000000000096B000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-JD8V3.tmp.2.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: steel.exe.3.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: steel.exe.3.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\steel.exe.3.exeFile read: C:\Users\user\Desktop\steel.exe.3.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\steel.exe.3.exe "C:\Users\user\Desktop\steel.exe.3.exe"
                    Source: C:\Users\user\Desktop\steel.exe.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp "C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp" /SL5="$1044A,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -i
                    Source: C:\Users\user\Desktop\steel.exe.3.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp "C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp" /SL5="$1044A,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\steel.exe.3.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaCodecPack_is1Jump to behavior
                    Source: steel.exe.3.exeStatic file information: File size 3295664 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-SB58A.tmp.2.dr
                    Source: Binary string: msvcr71.pdb< source: is-R9F0A.tmp.2.dr
                    Source: Binary string: msvcp71.pdb source: is-SB58A.tmp.2.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-4MERI.tmp.2.dr
                    Source: Binary string: msvcr71.pdb source: is-R9F0A.tmp.2.dr

                    Data Obfuscation

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeUnpacked PE file: 3.2.mediacodecpack3.exe.400000.0.unpack .aitt5:ER;.ajtt5:R;.aktt5:W;.rsrc:R;.altt5:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeUnpacked PE file: 3.2.mediacodecpack3.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .aitt5
                    Source: mediacodecpack3.exe.2.drStatic PE information: section name: .aitt5
                    Source: mediacodecpack3.exe.2.drStatic PE information: section name: .ajtt5
                    Source: mediacodecpack3.exe.2.drStatic PE information: section name: .aktt5
                    Source: mediacodecpack3.exe.2.drStatic PE information: section name: .altt5
                    Source: is-4MERI.tmp.2.drStatic PE information: section name: Shared
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /4
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /19
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /35
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /51
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /63
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /77
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /89
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /102
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /113
                    Source: is-JD8V3.tmp.2.drStatic PE information: section name: /124
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt5
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .ajtt5
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aktt5
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .altt5
                    Source: sqlite3.dll.3.drStatic PE information: section name: /4
                    Source: sqlite3.dll.3.drStatic PE information: section name: /19
                    Source: sqlite3.dll.3.drStatic PE information: section name: /35
                    Source: sqlite3.dll.3.drStatic PE information: section name: /51
                    Source: sqlite3.dll.3.drStatic PE information: section name: /63
                    Source: sqlite3.dll.3.drStatic PE information: section name: /77
                    Source: sqlite3.dll.3.drStatic PE information: section name: /89
                    Source: sqlite3.dll.3.drStatic PE information: section name: /102
                    Source: sqlite3.dll.3.drStatic PE information: section name: /113
                    Source: sqlite3.dll.3.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_004065C8 push 00406605h; ret 1_2_004065FD
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_004040B5 push eax; ret 1_2_004040F1
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00408104 push ecx; mov dword ptr [esp], eax1_2_00408109
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00404185 push 00404391h; ret 1_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00404206 push 00404391h; ret 1_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_0040C218 push eax; ret 1_2_0040C219
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_004042E8 push 00404391h; ret 1_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00404283 push 00404391h; ret 1_2_00404389
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00408F38 push 00408F6Bh; ret 1_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0040994C push 00409989h; ret 2_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00483F88 push 00484096h; ret 2_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004062B4 push ecx; mov dword ptr [esp], eax2_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004104E0 push ecx; mov dword ptr [esp], edx2_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00412928 push 0041298Bh; ret 2_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00494CAC push ecx; mov dword ptr [esp], ecx2_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0040CE38 push ecx; mov dword ptr [esp], edx2_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004592D0 push 00459314h; ret 2_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0040F398 push ecx; mov dword ptr [esp], edx2_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00443440 push ecx; mov dword ptr [esp], ecx2_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0040546D push eax; ret 2_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0040553D push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004055BE push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00485678 push ecx; mov dword ptr [esp], ecx2_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0040563B push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004517F8 push 0045182Bh; ret 2_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004519BC push ecx; mov dword ptr [esp], eax2_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00477B08 push ecx; mov dword ptr [esp], edx2_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00419C28 push ecx; mov dword ptr [esp], ecx2_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0045FD1C push ecx; mov dword ptr [esp], ecx2_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00499D30 pushad ; retf 2_2_00499D3F
                    Source: mediacodecpack3.exe.2.drStatic PE information: section name: .aitt5 entropy: 7.743465021339394
                    Source: MediaCodecPack.exe.3.drStatic PE information: section name: .aitt5 entropy: 7.743465021339394

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_0085E8A7
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-SB58A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-R9F0A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-JD8V3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\steel.exe.3.exeFile created: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-4MERI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-3E1JU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpFile created: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\is-EQB8P.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\MediaCodecPack.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile created: C:\ProgramData\MediaCodecPack\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_0085E8A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_00401951 GetLocalTime,StartServiceCtrlDispatcherA,lstrcmpiW,3_2_00401951
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004241DC IsIconic,SetActiveWindow,SetFocus,2_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00424194 IsIconic,SetActiveWindow,2_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00417598 IsIconic,GetCapture,2_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,2_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00417CCE IsIconic,SetWindowPos,2_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,2_2_0041F118
                    Source: C:\Users\user\Desktop\steel.exe.3.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeRDTSC instruction interceptor: First address: 40D6C2 second address: 40D6C2 instructions: 0x00000000 rdtsc 0x00000002 sal si, FFF1h 0x00000006 mov eax, dword ptr [ebp-0Ch] 0x00000009 mov edx, dword ptr [ebp-30h] 0x0000000c rcr esi, FFFFFFD5h 0x0000000f movzx esi, bx 0x00000012 add edx, dword ptr [eax+0Ch] 0x00000015 lahf 0x00000016 cwde 0x00000017 mov eax, dword ptr [ebp-18h] 0x0000001a mov si, cx 0x0000001d movsx esi, si 0x00000020 mov esi, dword ptr [ebp-18h] 0x00000023 mov cl, byte ptr [ecx+esi] 0x00000026 jmp 00007FF618B89CD9h 0x0000002b mov byte ptr [edx+eax], cl 0x0000002e jmp 00007FF618BA0E7Ch 0x00000033 mov eax, dword ptr [ebp-18h] 0x00000036 jmp 00007FF618B889CCh 0x0000003b inc eax 0x0000003c ror cl, 0000007Bh 0x0000003f btc ecx, FFFFFF83h 0x00000043 mov dword ptr [ebp-18h], eax 0x00000046 jmp 00007FF618BA14C0h 0x0000004b mov eax, dword ptr [ebp-28h] 0x0000004e cmp ebp, eax 0x00000050 or ch, cl 0x00000052 mov ecx, dword ptr [ebp-18h] 0x00000055 cmp di, 6D14h 0x0000005a cmp ecx, dword ptr [eax+10h] 0x0000005d jnc 00007FF618B88DF3h 0x00000063 mov eax, dword ptr [ebp-28h] 0x00000066 jmp 00007FF618B94CA4h 0x0000006b mov ecx, dword ptr [ebp-1Ch] 0x0000006e add si, di 0x00000071 add ecx, dword ptr [eax+14h] 0x00000074 rdtsc
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0040D6B9 rdtsc 3_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_0085E9AB
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-SB58A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-R9F0A.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-JD8V3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-4MERI.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-3E1JU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\uninstall\is-EQB8P.tmpJump to dropped file
                    Source: C:\Users\user\Desktop\steel.exe.3.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-5970
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_3-61325
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeAPI coverage: 3.0 %
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 7876Thread sleep count: 81 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 7876Thread sleep time: -162000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 7432Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe TID: 7432Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00452A60 FindFirstFileA,GetLastError,2_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,2_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00462750 FindFirstFileA,FindNextFileA,FindClose,2_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_00463CDC
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,1_2_00409B78
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeThread delayed: delay time: 60000Jump to behavior
                    Source: mediacodecpack3.exe, 00000003.00000002.3210712096.0000000003340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000958000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(W4
                    Source: C:\Users\user\Desktop\steel.exe.3.exeAPI call chain: ExitProcess graph end nodegraph_1-6767
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeAPI call chain: ExitProcess graph end nodegraph_3-60913
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_3-61223
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0040D6B9 rdtsc 3_2_0040D6B9
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_008680FE IsDebuggerPresent,3_2_008680FE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0086E6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_0086E6BE
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004502C0
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_00855E5E RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,3_2_00855E5E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_008680E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_008680E8
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_0042E09C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_0085E85F cpuid 3_2_0085E85F
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: GetLocaleInfoA,1_2_0040520C
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: GetLocaleInfoA,1_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: GetLocaleInfoA,2_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: GetLocaleInfoA,2_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,2_2_004585C8
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_004026C4 GetSystemTime,1_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmpCode function: 2_2_0045559C GetUserNameA,2_2_0045559C
                    Source: C:\Users\user\Desktop\steel.exe.3.exeCode function: 1_2_00405CF4 GetVersionExA,1_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3210153600.0000000002B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack3.exe PID: 7872, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3210153600.0000000002B63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mediacodecpack3.exe PID: 7872, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_609660FA
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,3_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60963143
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,3_2_6096923E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,3_2_6096A38C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_6096748C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_609254B1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6094B407
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6090F435 sqlite3_bind_parameter_index,3_2_6090F435
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,3_2_609255D4
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609255FF sqlite3_bind_text,3_2_609255FF
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,3_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,3_2_6094B54C
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60925686
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,3_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,3_2_609256E5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6092562A sqlite3_bind_blob,3_2_6092562A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,3_2_60925655
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6094C64A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_609687A7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,3_2_6092570B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F772
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,3_2_60925778
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6090577D sqlite3_bind_parameter_name,3_2_6090577D
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B764
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6090576B sqlite3_bind_parameter_count,3_2_6090576B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,3_2_6094A894
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F883
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,3_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,3_2_6096281E
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,3_2_6096583A
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,3_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6094A92B
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6090EAE5 sqlite3_transfer_bindings,3_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,3_2_6095FB98
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,3_2_60966DF1
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_60969D75
                    Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exeCode function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,3_2_6095FFB2
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API
                    1
                    DLL Side-Loading
                    1
                    Exploitation for Privilege Escalation
                    1
                    Deobfuscate/Decode Files or Information
                    1
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services1
                    Archive Collected Data
                    2
                    Ingress Tool Transfer
                    Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    5
                    Windows Service
                    1
                    DLL Side-Loading
                    3
                    Obfuscated Files or Information
                    LSASS Memory1
                    Account Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    21
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution
                    1
                    Bootkit
                    1
                    Access Token Manipulation
                    21
                    Software Packing
                    Security Account Manager2
                    File and Directory Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service
                    1
                    DLL Side-Loading
                    NTDS135
                    System Information Discovery
                    Distributed Component Object ModelInput Capture12
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection
                    1
                    Masquerading
                    LSA Secrets251
                    Security Software Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion
                    Cached Domain Credentials1
                    Process Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation
                    DCSync121
                    Virtualization/Sandbox Evasion
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection
                    Proc Filesystem1
                    Application Window Discovery
                    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit
                    /etc/passwd and /etc/shadow3
                    System Owner/User Discovery
                    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery
                    Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    C:\ProgramData\MediaCodecPack\MediaCodecPack.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe100%Joe Sandbox ML
                    C:\ProgramData\MediaCodecPack\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-3E1JU.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-4MERI.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-JD8V3.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-R9F0A.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-SB58A.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-HQMMN.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    https://188.119.66.185/ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c325100%Avira URL Cloudmalware
                    http://wonderwork.ucoz.com/0%Avira URL Cloudsafe
                    https://188.119.66.185/4.0%Avira URL Cloudsafe
                    https://188.119.66.185/ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d605633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd0348b100%Avira URL Cloudmalware
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0035.t-0009.t-msedge.net
                    13.107.246.63
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      https://188.119.66.185/ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d605633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd0348bfalse
                      • Avira URL Cloud: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.innosetup.com/steel.exe.3.tmp, steel.exe.3.tmp, 00000002.00000000.1355532353.0000000000401000.00000020.00000001.01000000.00000004.sdmp, steel.exe.3.tmp.1.dr, is-EQB8P.tmp.2.drfalse
                        high
                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinesteel.exe.3.exefalse
                          high
                          https://188.119.66.185/ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c325mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          unknown
                          http://wonderwork.ucoz.com/steel.exe.3.tmp, 00000002.00000002.3209734982.00000000059AC000.00000004.00001000.00020000.00000000.sdmp, mediacodecpack3.exe, 00000003.00000000.1375126393.00000000004D2000.00000002.00000001.01000000.00000009.sdmp, is-H9I2V.tmp.2.dr, MediaCodecPack.exe.3.dr, mediacodecpack3.exe.2.drfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.remobjects.com/psUsteel.exe.3.exe, 00000001.00000003.1355051581.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354903008.0000000002300000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000000.1355532353.0000000000401000.00000020.00000001.01000000.00000004.sdmp, steel.exe.3.tmp.1.dr, is-EQB8P.tmp.2.drfalse
                            high
                            http://www.remobjects.com/pssteel.exe.3.exe, 00000001.00000003.1355051581.0000000002088000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354903008.0000000002300000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, steel.exe.3.tmp, 00000002.00000000.1355532353.0000000000401000.00000020.00000001.01000000.00000004.sdmp, steel.exe.3.tmp.1.dr, is-EQB8P.tmp.2.drfalse
                              high
                              https://www.easycutstudio.com/support.htmlsteel.exe.3.exe, 00000001.00000002.3208961823.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354461650.0000000002300000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.exe, 00000001.00000003.1354559731.0000000002081000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000003.1356634579.0000000002128000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000003.1356547273.0000000003140000.00000004.00001000.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000002.3208888817.0000000000692000.00000004.00000020.00020000.00000000.sdmp, steel.exe.3.tmp, 00000002.00000002.3209193503.0000000002128000.00000004.00001000.00020000.00000000.sdmpfalse
                                high
                                https://188.119.66.185/4.mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUsteel.exe.3.exefalse
                                  high
                                  https://188.119.66.185/mediacodecpack3.exe, 00000003.00000002.3208960997.0000000000A31000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    188.119.66.185
                                    unknownRussian Federation
                                    209499FLYNETRUfalse
                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1577455
                                    Start date and time:2024-12-18 13:50:23 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 41s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Run name:Run with higher sleep bypass
                                    Number of analysed new started processes analysed:11
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:steel.exe.3.exe
                                    Detection:MAL
                                    Classification:mal92.troj.evad.winEXE@5/26@0/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 92%
                                    • Number of executed functions: 173
                                    • Number of non-executed functions: 286
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: steel.exe.3.exe
                                    No simulations
                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    188.119.66.185newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                      Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                        GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                          GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                            bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                              bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                  Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                    2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      s-part-0035.t-0009.t-msedge.netnewwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 13.107.246.63
                                                      IW9QNpidAN.exeGet hashmaliciousUnknownBrowse
                                                      • 13.107.246.63
                                                      T2dvU8f2xg.exeGet hashmaliciousUnknownBrowse
                                                      • 13.107.246.63
                                                      IW9QNpidAN.exeGet hashmaliciousUnknownBrowse
                                                      • 13.107.246.63
                                                      cred.dllGet hashmaliciousAmadeyBrowse
                                                      • 13.107.246.63
                                                      v_dolg.exeGet hashmaliciousLummaC StealerBrowse
                                                      • 13.107.246.63
                                                      Setup2.exeGet hashmaliciousCryptbotBrowse
                                                      • 13.107.246.63
                                                      clcs.exeGet hashmaliciousCryptbotBrowse
                                                      • 13.107.246.63
                                                      2kudv4ea.exeGet hashmaliciousLummaCBrowse
                                                      • 13.107.246.63
                                                      stealc_default2.exeGet hashmaliciousStealc, VidarBrowse
                                                      • 13.107.246.63
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      FLYNETRUnewwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      51c64c77e60f3980eea90869b68c58a8newwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      cd#U9988.exeGet hashmaliciousUnknownBrowse
                                                      • 188.119.66.185
                                                      Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                      • 188.119.66.185
                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\ProgramData\MediaCodecPack\sqlite3.dllnewwork.exe.1.exeGet hashmaliciousSocks5SystemzBrowse
                                                        AbC0LBkVhr.exeGet hashmaliciousSocks5SystemzBrowse
                                                          Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                            GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                              GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):3186888
                                                                        Entropy (8bit):6.230475147166178
                                                                        Encrypted:false
                                                                        SSDEEP:49152:5YOSeerrANJi8JBsNkPB4jnCViGF1awdEYO:SVeevAb/2kZ4jGiGFdO
                                                                        MD5:1BADA3AB49364C26DA68D41031611AC7
                                                                        SHA1:5BBB3CA5C6CED071A4297E0DB6C8AA96B16FA96B
                                                                        SHA-256:F8A65D51ACF7D271F7BA0114366234DCE29BE27CFB73CA94AF990EC379350149
                                                                        SHA-512:CFA982246856746524ECF44D45F5697B52DC6E90A828625697116B856CB7B51080562607EB89910216D18C8C13E2AED2AAAD65C58F66DEE3B6CDB79405C36701
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MediaCodecPack\MediaCodecPack.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Reputation:low
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.......1.....................................4........ ..0...............................................................................\............................aitt5...h.......j.................. ..`.ajtt5...-...........n..............@..@.aktt5...d.......0..................@....rsrc........ ......................@..@.altt5...&.......$...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):645592
                                                                        Entropy (8bit):6.50414583238337
                                                                        Encrypted:false
                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: newwork.exe.1.exe, Detection: malicious, Browse
                                                                        • Filename: AbC0LBkVhr.exe, Detection: malicious, Browse
                                                                        • Filename: Oz2UhFBTHy.exe, Detection: malicious, Browse
                                                                        • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                        • Filename: GEm3o8pION.exe, Detection: malicious, Browse
                                                                        • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                        • Filename: bzX2pV3Ybw.exe, Detection: malicious, Browse
                                                                        • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                        • Filename: Ni2ghr9eUJ.exe, Detection: malicious, Browse
                                                                        Reputation:high, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                        File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):8
                                                                        Entropy (8bit):2.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:fS/:fS/
                                                                        MD5:1C6279201C665BE33C8C915FEBD9D5F6
                                                                        SHA1:84914C1E4990DF65CF3E59328D90356BD4AD706B
                                                                        SHA-256:D7CA082BEBDA0DFA7DEF3859F2DCEC8D92C88E669D8863E76D53BC09C7F3C91C
                                                                        SHA-512:77EE506E3A83F9E4F4431E97D366DFA7DE6F427D0055C197B32D401434AF4C50EDBDA3EDCACEBB72A572EB0F4FB7057B08D854619AED1303EEDD3DB6AEEFF1D5
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:..bg....
                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):4
                                                                        Entropy (8bit):0.8112781244591328
                                                                        Encrypted:false
                                                                        SSDEEP:3:M:M
                                                                        MD5:4352D88A78AA39750BF70CD6F27BCAA5
                                                                        SHA1:3C585604E87F855973731FEA83E21FAB9392D2FC
                                                                        SHA-256:67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
                                                                        SHA-512:EDF92E3D4F80FC47D948EA2F17B9BFC742D34E2E785A7A4927F3E261E8BD9D400B648BFF2123B8396D24FB28F5869979E08D58B4B5D156E640344A2C0A54675D
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:....
                                                                        Process:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):128
                                                                        Entropy (8bit):2.9012093522336393
                                                                        Encrypted:false
                                                                        SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                        MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                        SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                        SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                        SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                        Malicious:false
                                                                        Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1645320
                                                                        Entropy (8bit):6.787752063353702
                                                                        Encrypted:false
                                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:MS Windows HtmlHelp Data
                                                                        Category:dropped
                                                                        Size (bytes):78183
                                                                        Entropy (8bit):7.692742945771669
                                                                        Encrypted:false
                                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                        Malicious:false
                                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):176128
                                                                        Entropy (8bit):6.204917493416147
                                                                        Encrypted:false
                                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):1645320
                                                                        Entropy (8bit):6.787752063353702
                                                                        Encrypted:false
                                                                        SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                        MD5:871C903A90C45CA08A9D42803916C3F7
                                                                        SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                        SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                        SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):3186888
                                                                        Entropy (8bit):6.230474684772782
                                                                        Encrypted:false
                                                                        SSDEEP:49152:MYOSeerrANJi8JBsNkPB4jnCViGF1awdEYO:lVeevAb/2kZ4jGiGFdO
                                                                        MD5:E83CE4636B3E2DB208D20BF34F505D15
                                                                        SHA1:B4AC7F4F9430B766EFCAC3226F88DBA886F8187D
                                                                        SHA-256:7A5B7EB1FD83DC074CFB64F5E1B44CCABFA7C9B56070161FAE8CA382A43C54CE
                                                                        SHA-512:437011046262723E831819FA037EFD4FA6BED1D8B976D3D60080FD1E926B70E431464B7212DAFD88801ED0FDD4934B37C509DC2C675F674DF7EF9E9B82546D2C
                                                                        Malicious:false
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\is-H9I2V.tmp, Author: Joe Security
                                                                        Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.......1.....................................4........ ..0...............................................................................\............................aitt5...h.......j.................. ..`.ajtt5...-...........n..............@..@.aktt5...d.......0..................@....rsrc........ ......................@..@.altt5...&.......$...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):645592
                                                                        Entropy (8bit):6.50414583238337
                                                                        Encrypted:false
                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):348160
                                                                        Entropy (8bit):6.542655141037356
                                                                        Encrypted:false
                                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):499712
                                                                        Entropy (8bit):6.414789978441117
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:MS Windows HtmlHelp Data
                                                                        Category:dropped
                                                                        Size (bytes):78183
                                                                        Entropy (8bit):7.692742945771669
                                                                        Encrypted:false
                                                                        SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                        MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                        SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                        SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                        SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                        Malicious:false
                                                                        Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):176128
                                                                        Entropy (8bit):6.204917493416147
                                                                        Encrypted:false
                                                                        SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                        MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                        SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                        SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                        SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:modified
                                                                        Size (bytes):3186888
                                                                        Entropy (8bit):6.230475147166178
                                                                        Encrypted:false
                                                                        SSDEEP:49152:5YOSeerrANJi8JBsNkPB4jnCViGF1awdEYO:SVeevAb/2kZ4jGiGFdO
                                                                        MD5:1BADA3AB49364C26DA68D41031611AC7
                                                                        SHA1:5BBB3CA5C6CED071A4297E0DB6C8AA96B16FA96B
                                                                        SHA-256:F8A65D51ACF7D271F7BA0114366234DCE29BE27CFB73CA94AF990EC379350149
                                                                        SHA-512:CFA982246856746524ECF44D45F5697B52DC6E90A828625697116B856CB7B51080562607EB89910216D18C8C13E2AED2AAAD65C58F66DEE3B6CDB79405C36701
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe, Author: Joe Security
                                                                        Antivirus:
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L.....bg.................j...D.......#............@...........................1.......1.....................................4........ ..0...............................................................................\............................aitt5...h.......j.................. ..`.ajtt5...-...........n..............@..@.aktt5...d.......0..................@....rsrc........ ......................@..@.altt5...&.......$...|..............`./.........................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):499712
                                                                        Entropy (8bit):6.414789978441117
                                                                        Encrypted:false
                                                                        SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                        MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                        SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                        SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                        SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):348160
                                                                        Entropy (8bit):6.542655141037356
                                                                        Encrypted:false
                                                                        SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                        MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                        SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                        SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                        SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):645592
                                                                        Entropy (8bit):6.50414583238337
                                                                        Encrypted:false
                                                                        SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                        MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                        SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                        SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                        SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):717985
                                                                        Entropy (8bit):6.514903952773555
                                                                        Encrypted:false
                                                                        SSDEEP:12288:STPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+FIq5MRxyFw:aPcYn5c/rPx37/zHBA6pFptZ1CE8qMR1
                                                                        MD5:EACFC79F02180D07DE98139B1DD89524
                                                                        SHA1:600E37A407063B3582FFC73A82BCDCA0928FD79D
                                                                        SHA-256:D2909621E8EE51030A7EAD10479DD88EDC1B0CA8489C0756A8FD2F5705DB2534
                                                                        SHA-512:BF30948AC036BBC7EEAC95250789754E85AFD856992FA1AD688B6F2F44D7871BB7C18A255A97AF190606E6184B3010D89F69269019DCBED3311470823994E320
                                                                        Malicious:true
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:InnoSetup Log MediaCodecPack, version 0x30, 4696 bytes, 888683\user, "C:\Users\user\AppData\Local\MediaCodecPack 1.1.22"
                                                                        Category:dropped
                                                                        Size (bytes):4696
                                                                        Entropy (8bit):4.719082119807002
                                                                        Encrypted:false
                                                                        SSDEEP:96:Vp9LdWs38tpRuk3mq9V+eOIhswa7ICSss/Ln2TinLxYyrPy9y9cPE:Vp9LdWs3KpRukW1HIhs3ICSsAn2TCLxX
                                                                        MD5:0A7D2039D23880FC09FEE7665FC96502
                                                                        SHA1:C9D2B9EBCF3A2689791EFEFDAF29200B3EE5D800
                                                                        SHA-256:4AC7C0A479DCF55BCE48D5B4F445EE11DDD2774BE5949F3E1CD2A08CC08B42E4
                                                                        SHA-512:D422908F977DF42F77AC7AA7D85DF71650664BCB8F5FA33B8330C6B3CF222615724B0EF345A9C4B2C5916C751495AAF24FC2CFF6D5384F84597D7E3A5B9A5816
                                                                        Malicious:false
                                                                        Preview:Inno Setup Uninstall Log (b)....................................MediaCodecPack..................................................................................................................MediaCodecPack..................................................................................................................0.......X...%..................................................................................................................Z........X{........R....888683.user2C:\Users\user\AppData\Local\MediaCodecPack 1.1.22...........3...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):717985
                                                                        Entropy (8bit):6.514903952773555
                                                                        Encrypted:false
                                                                        SSDEEP:12288:STPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+FIq5MRxyFw:aPcYn5c/rPx37/zHBA6pFptZ1CE8qMR1
                                                                        MD5:EACFC79F02180D07DE98139B1DD89524
                                                                        SHA1:600E37A407063B3582FFC73A82BCDCA0928FD79D
                                                                        SHA-256:D2909621E8EE51030A7EAD10479DD88EDC1B0CA8489C0756A8FD2F5705DB2534
                                                                        SHA-512:BF30948AC036BBC7EEAC95250789754E85AFD856992FA1AD688B6F2F44D7871BB7C18A255A97AF190606E6184B3010D89F69269019DCBED3311470823994E320
                                                                        Malicious:true
                                                                        Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):2560
                                                                        Entropy (8bit):2.8818118453929262
                                                                        Encrypted:false
                                                                        SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                        MD5:A69559718AB506675E907FE49DEB71E9
                                                                        SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                        SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                        SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                        Malicious:true
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):6144
                                                                        Entropy (8bit):4.289297026665552
                                                                        Encrypted:false
                                                                        SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                        MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                        SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                        SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                        SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):23312
                                                                        Entropy (8bit):4.596242908851566
                                                                        Encrypted:false
                                                                        SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                        MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                        SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                        SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                        SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                        Process:C:\Users\user\Desktop\steel.exe.3.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):706560
                                                                        Entropy (8bit):6.5063766308210695
                                                                        Encrypted:false
                                                                        SSDEEP:12288:aTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+FIq5MRxyF:yPcYn5c/rPx37/zHBA6pFptZ1CE8qMRU
                                                                        MD5:192CB1EFDC38E560F417C173410B8749
                                                                        SHA1:95EC6D2B92A9E9EC5EA4F18CA20061B9A5F1354E
                                                                        SHA-256:EC21B358820D9243942D00CD757973F8C023D2A4964561E612C6DF1B0B32BAD9
                                                                        SHA-512:356FB46E7346EFA9F62401F36C3F8B3282B3B9580B00434AC72E0B7E364A483695776489829656D0AD18F99521A2127E9C490E7371988FF613E62DF1444A81C5
                                                                        Malicious:true
                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................
                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.997553528524186
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 98.73%
                                                                        • Inno Setup installer (109748/4) 1.08%
                                                                        • Windows Screen Saver (13104/52) 0.13%
                                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        File name:steel.exe.3.exe
                                                                        File size:3'295'664 bytes
                                                                        MD5:db153670ed84a7e848fa356e7aecc80d
                                                                        SHA1:7c6be83fc3b7af9c5980c6d46a4a604b7c878ebd
                                                                        SHA256:ba58d3f14d7e106b3ad8d60501bdbcaf19506731b5085d478d9a0887e6b0b524
                                                                        SHA512:079bacd7beb23aa0e2b8c52ccebc13d65792bd39fb45c8831da4947af10d5d31b99115ddf68163466578d90bfebf8e8892b1e827f263ace569a78af51c610e36
                                                                        SSDEEP:49152:C9XpqfbcbSvc5ktiyevRogYI28M5Ycv85L60t8IWOrVqmnf3jiJKuNqz:MnbStH8ogYI28S5v8G/OocpYqz
                                                                        TLSH:43E533604C940DB4D06224B63A31C3BD5BB36C1E882D1957249CFD6BBB168D8EA5BF4F
                                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                                        Icon Hash:2d2e3797b32b2b99
                                                                        Entrypoint:0x40a5f8
                                                                        Entrypoint Section:CODE
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:1
                                                                        OS Version Minor:0
                                                                        File Version Major:1
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:1
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:884310b1928934402ea6fec1dbd3cf5e
                                                                        Instruction
                                                                        push ebp
                                                                        mov ebp, esp
                                                                        add esp, FFFFFFC4h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        xor eax, eax
                                                                        mov dword ptr [ebp-10h], eax
                                                                        mov dword ptr [ebp-24h], eax
                                                                        call 00007FF618CDA733h
                                                                        call 00007FF618CDB93Ah
                                                                        call 00007FF618CDBBC9h
                                                                        call 00007FF618CDBC6Ch
                                                                        call 00007FF618CDDC0Bh
                                                                        call 00007FF618CE0576h
                                                                        call 00007FF618CE06DDh
                                                                        xor eax, eax
                                                                        push ebp
                                                                        push 0040ACC9h
                                                                        push dword ptr fs:[eax]
                                                                        mov dword ptr fs:[eax], esp
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040AC92h
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        mov eax, dword ptr [0040C014h]
                                                                        call 00007FF618CE118Bh
                                                                        call 00007FF618CE0D76h
                                                                        cmp byte ptr [0040B234h], 00000000h
                                                                        je 00007FF618CE1C6Eh
                                                                        call 00007FF618CE1288h
                                                                        xor eax, eax
                                                                        call 00007FF618CDB429h
                                                                        lea edx, dword ptr [ebp-10h]
                                                                        xor eax, eax
                                                                        call 00007FF618CDE21Bh
                                                                        mov edx, dword ptr [ebp-10h]
                                                                        mov eax, 0040CE28h
                                                                        call 00007FF618CDA7CAh
                                                                        push 00000002h
                                                                        push 00000000h
                                                                        push 00000001h
                                                                        mov ecx, dword ptr [0040CE28h]
                                                                        mov dl, 01h
                                                                        mov eax, 0040738Ch
                                                                        call 00007FF618CDEAAAh
                                                                        mov dword ptr [0040CE2Ch], eax
                                                                        xor edx, edx
                                                                        push ebp
                                                                        push 0040AC4Ah
                                                                        push dword ptr fs:[edx]
                                                                        mov dword ptr fs:[edx], esp
                                                                        call 00007FF618CE11E6h
                                                                        mov dword ptr [0040CE34h], eax
                                                                        mov eax, dword ptr [0040CE34h]
                                                                        cmp dword ptr [eax+0Ch], 00000000h
                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x110000x2c000x2c00fcbf401062477a1819ab7c1055c10accFalse0.3254616477272727data4.4922954803823965IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                        RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                        RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                        RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                        RT_STRING0x125740x2f2data0.35543766578249336
                                                                        RT_STRING0x128680x30cdata0.3871794871794872
                                                                        RT_STRING0x12b740x2cedata0.42618384401114207
                                                                        RT_STRING0x12e440x68data0.75
                                                                        RT_STRING0x12eac0xb4data0.6277777777777778
                                                                        RT_STRING0x12f600xaedata0.5344827586206896
                                                                        RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                        RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                        RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2610410094637224
                                                                        RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024
                                                                        DLLImport
                                                                        kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                        user32.dllMessageBoxA
                                                                        oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                        advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                        kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                        user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                        comctl32.dllInitCommonControls
                                                                        advapi32.dllAdjustTokenPrivileges
                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        DutchNetherlands
                                                                        EnglishUnited States
                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-12-18T13:53:32.123965+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.1149977188.119.66.185443TCP
                                                                        2024-12-18T13:53:32.813853+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1149977188.119.66.185443TCP
                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Dec 18, 2024 13:53:30.364563942 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:30.364610910 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:30.364717960 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:30.376810074 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:30.376825094 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.123871088 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.123965025 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.195750952 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.195766926 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.196139097 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.196192026 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.199845076 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.247324944 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.813880920 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.813937902 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.813950062 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.813962936 CET44349977188.119.66.185192.168.2.11
                                                                        Dec 18, 2024 13:53:32.813990116 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.814016104 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.816517115 CET49977443192.168.2.11188.119.66.185
                                                                        Dec 18, 2024 13:53:32.816530943 CET44349977188.119.66.185192.168.2.11
                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Dec 18, 2024 13:51:21.965604067 CET1.1.1.1192.168.2.110x2351No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                        Dec 18, 2024 13:51:21.965604067 CET1.1.1.1192.168.2.110x2351No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                        • 188.119.66.185
                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.1149977188.119.66.1854437872C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-12-18 12:53:32 UTC283OUTGET /ai/?key=8f3f2b3ab942463b774fe6a0231e72eee7c4db7e40b82a8dcd6c946851e300888c3250aa15d605633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda36261fd0348b HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                        Host: 188.119.66.185
                                                                        2024-12-18 12:53:32 UTC200INHTTP/1.1 200 OK
                                                                        Server: nginx/1.18.0 (Ubuntu)
                                                                        Date: Wed, 18 Dec 2024 12:53:32 GMT
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        X-Powered-By: PHP/7.4.33
                                                                        2024-12-18 12:53:32 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: e8b723663ec13250


                                                                        Click to jump to process

                                                                        Click to jump to process

                                                                        Click to dive into process behavior distribution

                                                                        Click to jump to process

                                                                        Target ID:1
                                                                        Start time:07:51:24
                                                                        Start date:18/12/2024
                                                                        Path:C:\Users\user\Desktop\steel.exe.3.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\steel.exe.3.exe"
                                                                        Imagebase:0x400000
                                                                        File size:3'295'664 bytes
                                                                        MD5 hash:DB153670ED84A7E848FA356E7AECC80D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        Target ID:2
                                                                        Start time:07:51:24
                                                                        Start date:18/12/2024
                                                                        Path:C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-M1QFO.tmp\steel.exe.3.tmp" /SL5="$1044A,3046688,56832,C:\Users\user\Desktop\steel.exe.3.exe"
                                                                        Imagebase:0x400000
                                                                        File size:706'560 bytes
                                                                        MD5 hash:192CB1EFDC38E560F417C173410B8749
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000002.3209734982.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        Target ID:3
                                                                        Start time:07:51:26
                                                                        Start date:18/12/2024
                                                                        Path:C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe" -i
                                                                        Imagebase:0x400000
                                                                        File size:3'186'888 bytes
                                                                        MD5 hash:1BADA3AB49364C26DA68D41031611AC7
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1374989134.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.3210153600.0000000002B63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\MediaCodecPack 1.1.22\mediacodecpack3.exe, Author: Joe Security
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:21.4%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:2.4%
                                                                          Total number of Nodes:1520
                                                                          Total number of Limit Nodes:22
                                                                          execution_graph 5449 407548 5450 407554 CloseHandle 5449->5450 5451 40755d 5449->5451 5450->5451 6686 402b48 RaiseException 5891 407749 5892 4076dc WriteFile 5891->5892 5897 407724 5891->5897 5893 4076e8 5892->5893 5894 4076ef 5892->5894 5895 40748c 35 API calls 5893->5895 5896 407700 5894->5896 5898 4073ec 34 API calls 5894->5898 5895->5894 5897->5891 5899 4077e0 5897->5899 5898->5896 5900 4078db InterlockedExchange 5899->5900 5902 407890 5899->5902 5901 4078e7 5900->5901 6687 40294a 6688 402952 6687->6688 6689 403554 4 API calls 6688->6689 6690 402967 6688->6690 6689->6688 6691 403f4a 6692 403f53 6691->6692 6694 403f5c 6691->6694 6695 403f07 6692->6695 6698 403f09 6695->6698 6697 403f3c 6697->6694 6699 403154 4 API calls 6698->6699 6701 403e9c 6698->6701 6704 403f3d 6698->6704 6718 403e9c 6698->6718 6699->6698 6700 403ef2 6703 402674 4 API calls 6700->6703 6701->6697 6701->6700 6707 403ea9 6701->6707 6709 403e8e 6701->6709 6706 403ecf 6703->6706 6704->6694 6706->6694 6707->6706 6708 402674 4 API calls 6707->6708 6708->6706 6710 403e4c 6709->6710 6711 403e67 6710->6711 6712 403e62 6710->6712 6713 403e7b 6710->6713 6716 403e78 6711->6716 6717 402674 4 API calls 6711->6717 6715 403cc8 4 API calls 6712->6715 6714 402674 4 API calls 6713->6714 6714->6716 6715->6711 6716->6700 6716->6707 6717->6716 6719 403ed7 6718->6719 6725 403ea9 6718->6725 6720 403ef2 6719->6720 6722 403e8e 4 API calls 6719->6722 6723 402674 4 API calls 6720->6723 6721 403ecf 6721->6698 6724 403ee6 6722->6724 6723->6721 6724->6720 6724->6725 6725->6721 6726 402674 4 API calls 6725->6726 6726->6721 6245 40ac4f 6246 40abc1 6245->6246 6247 4094d8 9 API calls 6246->6247 6249 40abed 6246->6249 6247->6249 6248 40ac06 6250 40ac1a 6248->6250 6251 40ac0f DestroyWindow 6248->6251 6249->6248 6252 40ac00 RemoveDirectoryA 6249->6252 6253 40ac42 6250->6253 6254 40357c 4 API calls 6250->6254 6251->6250 6252->6248 6255 40ac38 6254->6255 6256 4025ac 4 API calls 6255->6256 6256->6253 6257 403a52 6258 403a5a WriteFile 6257->6258 6260 403a74 6257->6260 6259 403a78 GetLastError 6258->6259 6258->6260 6259->6260 6261 402654 6262 403154 4 API calls 6261->6262 6263 402614 6262->6263 6264 402632 6263->6264 6265 403154 4 API calls 6263->6265 6265->6264 6266 40ac56 6267 40ac5d 6266->6267 6269 40ac88 6266->6269 6276 409448 6267->6276 6271 403198 4 API calls 6269->6271 6270 40ac62 6270->6269 6273 40ac80 MessageBoxA 6270->6273 6272 40acc0 6271->6272 6274 403198 4 API calls 6272->6274 6273->6269 6275 40acc8 6274->6275 6277 409454 GetCurrentProcess OpenProcessToken 6276->6277 6278 4094af ExitWindowsEx 6276->6278 6279 409466 6277->6279 6280 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6277->6280 6278->6279 6279->6270 6280->6278 6280->6279 6735 40995e 6738 409960 6735->6738 6736 40999e CallWindowProcA 6737 409982 6736->6737 6738->6736 6738->6737 6739 409960 6740 409982 6739->6740 6742 40996f 6739->6742 6741 40999e CallWindowProcA 6741->6740 6742->6740 6742->6741 6743 405160 6744 405173 6743->6744 6745 404e58 33 API calls 6744->6745 6746 405187 6745->6746 6281 402e64 6282 402e69 6281->6282 6283 402e7a RtlUnwind 6282->6283 6284 402e5e 6282->6284 6285 402e9d 6283->6285 5903 40766c SetFilePointer 5904 4076a3 5903->5904 5905 407693 GetLastError 5903->5905 5905->5904 5906 40769c 5905->5906 5907 40748c 35 API calls 5906->5907 5907->5904 6298 40667c IsDBCSLeadByte 6299 406694 6298->6299 6759 403f7d 6760 403fa2 6759->6760 6761 403f84 6759->6761 6760->6761 6763 403e8e 4 API calls 6760->6763 6762 403f8c 6761->6762 6764 402674 4 API calls 6761->6764 6763->6761 6765 403fca 6764->6765 6766 403d02 6768 403d12 6766->6768 6767 403ddf ExitProcess 6768->6767 6769 403db8 6768->6769 6773 403dea 6768->6773 6776 403da4 6768->6776 6777 403d8f MessageBoxA 6768->6777 6770 403cc8 4 API calls 6769->6770 6771 403dc2 6770->6771 6772 403cc8 4 API calls 6771->6772 6774 403dcc 6772->6774 6786 4019dc 6774->6786 6782 403fe4 6776->6782 6777->6769 6778 403dd1 6778->6767 6778->6773 6783 403fe8 6782->6783 6784 403f07 4 API calls 6783->6784 6785 404006 6784->6785 6787 401abb 6786->6787 6788 4019ed 6786->6788 6787->6778 6789 401a04 RtlEnterCriticalSection 6788->6789 6790 401a0e LocalFree 6788->6790 6789->6790 6791 401a41 6790->6791 6792 401a2f VirtualFree 6791->6792 6793 401a49 6791->6793 6792->6791 6794 401a70 LocalFree 6793->6794 6795 401a87 6793->6795 6794->6794 6794->6795 6796 401aa9 RtlDeleteCriticalSection 6795->6796 6797 401a9f RtlLeaveCriticalSection 6795->6797 6796->6778 6797->6796 6304 404206 6305 4041cc 6304->6305 6306 40420a 6304->6306 6307 403154 4 API calls 6306->6307 6308 404282 6306->6308 6309 404323 6307->6309 6310 402c08 6311 402c82 6310->6311 6314 402c19 6310->6314 6312 402c56 RtlUnwind 6313 403154 4 API calls 6312->6313 6313->6311 6314->6311 6314->6312 6317 402b28 6314->6317 6318 402b31 RaiseException 6317->6318 6319 402b47 6317->6319 6318->6319 6319->6312 6320 408c10 6321 408c17 6320->6321 6322 403198 4 API calls 6321->6322 6330 408cb1 6322->6330 6323 408cdc 6324 4031b8 4 API calls 6323->6324 6325 408d69 6324->6325 6326 408cc8 6328 4032fc 18 API calls 6326->6328 6327 403278 18 API calls 6327->6330 6328->6323 6329 4032fc 18 API calls 6329->6330 6330->6323 6330->6326 6330->6327 6330->6329 6335 40a814 6336 40a839 6335->6336 6337 40993c 29 API calls 6336->6337 6340 40a83e 6337->6340 6338 40a891 6369 4026c4 GetSystemTime 6338->6369 6340->6338 6343 408dd8 18 API calls 6340->6343 6341 40a896 6342 409330 46 API calls 6341->6342 6344 40a89e 6342->6344 6345 40a86d 6343->6345 6346 4031e8 18 API calls 6344->6346 6349 40a875 MessageBoxA 6345->6349 6347 40a8ab 6346->6347 6348 406928 19 API calls 6347->6348 6350 40a8b8 6348->6350 6349->6338 6351 40a882 6349->6351 6352 4066c0 19 API calls 6350->6352 6353 405864 19 API calls 6351->6353 6354 40a8c8 6352->6354 6353->6338 6355 406638 19 API calls 6354->6355 6356 40a8d9 6355->6356 6357 403340 18 API calls 6356->6357 6358 40a8e7 6357->6358 6359 4031e8 18 API calls 6358->6359 6360 40a8f7 6359->6360 6361 4074e0 37 API calls 6360->6361 6362 40a936 6361->6362 6363 402594 18 API calls 6362->6363 6364 40a956 6363->6364 6365 407a28 19 API calls 6364->6365 6366 40a998 6365->6366 6367 407cb8 35 API calls 6366->6367 6368 40a9bf 6367->6368 6369->6341 5447 407017 5448 407008 SetErrorMode 5447->5448 6370 403018 6371 403070 6370->6371 6372 403025 6370->6372 6373 40302a RtlUnwind 6372->6373 6374 40304e 6373->6374 6376 402f78 6374->6376 6377 402be8 6374->6377 6378 402bf1 RaiseException 6377->6378 6379 402c04 6377->6379 6378->6379 6379->6371 6384 40901e 6385 409010 6384->6385 6386 408fac Wow64RevertWow64FsRedirection 6385->6386 6387 409018 6386->6387 6388 409020 SetLastError 6389 409029 6388->6389 6404 403a28 ReadFile 6405 403a46 6404->6405 6406 403a49 GetLastError 6404->6406 5908 40762c ReadFile 5909 407663 5908->5909 5910 40764c 5908->5910 5911 407652 GetLastError 5910->5911 5912 40765c 5910->5912 5911->5909 5911->5912 5913 40748c 35 API calls 5912->5913 5913->5909 6808 40712e 6809 407118 6808->6809 6810 403198 4 API calls 6809->6810 6811 407120 6810->6811 6812 403198 4 API calls 6811->6812 6813 407128 6812->6813 5928 40a82f 5929 409ae8 18 API calls 5928->5929 5930 40a834 5929->5930 5931 40a839 5930->5931 5932 402f24 5 API calls 5930->5932 5965 40993c 5931->5965 5932->5931 5934 40a891 5970 4026c4 GetSystemTime 5934->5970 5936 40a83e 5936->5934 6031 408dd8 5936->6031 5937 40a896 5971 409330 5937->5971 5941 40a86d 5945 40a875 MessageBoxA 5941->5945 5942 4031e8 18 API calls 5943 40a8ab 5942->5943 5989 406928 5943->5989 5945->5934 5947 40a882 5945->5947 6034 405864 5947->6034 5952 40a8d9 6016 403340 5952->6016 5954 40a8e7 5955 4031e8 18 API calls 5954->5955 5956 40a8f7 5955->5956 5957 4074e0 37 API calls 5956->5957 5958 40a936 5957->5958 5959 402594 18 API calls 5958->5959 5960 40a956 5959->5960 5961 407a28 19 API calls 5960->5961 5962 40a998 5961->5962 5963 407cb8 35 API calls 5962->5963 5964 40a9bf 5963->5964 6038 40953c 5965->6038 5968 4098cc 19 API calls 5969 40995c 5968->5969 5969->5936 5970->5937 5978 409350 5971->5978 5974 409375 CreateDirectoryA 5975 4093ed 5974->5975 5976 40937f GetLastError 5974->5976 5977 40322c 4 API calls 5975->5977 5976->5978 5979 4093f7 5977->5979 5978->5974 5980 408dd8 18 API calls 5978->5980 5981 404c94 33 API calls 5978->5981 5984 407284 19 API calls 5978->5984 5987 408da8 18 API calls 5978->5987 5988 405890 18 API calls 5978->5988 6094 406cf4 5978->6094 6117 409224 5978->6117 5982 4031b8 4 API calls 5979->5982 5980->5978 5981->5978 5983 409411 5982->5983 5985 4031b8 4 API calls 5983->5985 5984->5978 5986 40941e 5985->5986 5986->5942 5987->5978 5988->5978 6223 406820 5989->6223 5992 403454 18 API calls 5993 40694a 5992->5993 5994 4066c0 5993->5994 6228 4068e4 5994->6228 5997 4066f0 5999 403340 18 API calls 5997->5999 5998 4066fe 6000 403454 18 API calls 5998->6000 6002 4066fc 5999->6002 6001 406711 6000->6001 6003 403340 18 API calls 6001->6003 6004 403198 4 API calls 6002->6004 6003->6002 6005 406733 6004->6005 6006 406638 6005->6006 6007 406642 6006->6007 6008 406665 6006->6008 6234 406950 6007->6234 6010 40322c 4 API calls 6008->6010 6012 40666e 6010->6012 6011 406649 6011->6008 6013 406654 6011->6013 6012->5952 6014 403340 18 API calls 6013->6014 6015 406662 6014->6015 6015->5952 6017 403344 6016->6017 6018 4033a5 6016->6018 6019 4031e8 6017->6019 6020 40334c 6017->6020 6024 403254 18 API calls 6019->6024 6026 4031fc 6019->6026 6020->6018 6021 40335b 6020->6021 6025 4031e8 18 API calls 6020->6025 6023 403254 18 API calls 6021->6023 6022 403228 6022->5954 6028 403375 6023->6028 6024->6026 6025->6021 6026->6022 6027 4025ac 4 API calls 6026->6027 6027->6022 6029 4031e8 18 API calls 6028->6029 6030 4033a1 6029->6030 6030->5954 6032 408da8 18 API calls 6031->6032 6033 408df4 6032->6033 6033->5941 6035 405869 6034->6035 6036 405940 19 API calls 6035->6036 6037 40587b 6036->6037 6037->6037 6045 40955b 6038->6045 6039 409590 6041 40959d GetUserDefaultLangID 6039->6041 6046 409592 6039->6046 6040 409594 6050 407024 GetModuleHandleA GetProcAddress 6040->6050 6041->6046 6044 40956f 6044->5968 6045->6039 6045->6040 6045->6044 6046->6044 6047 4095cb GetACP 6046->6047 6048 4095ef 6046->6048 6047->6044 6047->6046 6048->6044 6049 409615 GetACP 6048->6049 6049->6044 6049->6048 6051 407067 6050->6051 6052 40705e 6050->6052 6053 407070 6051->6053 6054 4070a8 6051->6054 6061 403198 4 API calls 6052->6061 6071 406f68 6053->6071 6055 406f68 RegOpenKeyExA 6054->6055 6059 4070c1 6055->6059 6057 407089 6058 4070de 6057->6058 6074 406f5c 6057->6074 6063 40322c 4 API calls 6058->6063 6059->6058 6062 406f5c 20 API calls 6059->6062 6065 407120 6061->6065 6066 4070d5 RegCloseKey 6062->6066 6067 4070eb 6063->6067 6068 403198 4 API calls 6065->6068 6066->6058 6069 4032fc 18 API calls 6067->6069 6070 407128 6068->6070 6069->6052 6070->6046 6072 406f73 6071->6072 6073 406f79 RegOpenKeyExA 6071->6073 6072->6073 6073->6057 6077 406e10 6074->6077 6078 406e36 RegQueryValueExA 6077->6078 6079 406e59 6078->6079 6084 406e7b 6078->6084 6080 406e73 6079->6080 6079->6084 6085 403278 18 API calls 6079->6085 6086 403420 18 API calls 6079->6086 6082 403198 4 API calls 6080->6082 6081 403198 4 API calls 6083 406f47 RegCloseKey 6081->6083 6082->6084 6083->6058 6084->6081 6085->6079 6087 406eb0 RegQueryValueExA 6086->6087 6087->6078 6088 406ecc 6087->6088 6088->6084 6089 4034f0 18 API calls 6088->6089 6090 406f0e 6089->6090 6091 406f20 6090->6091 6093 403420 18 API calls 6090->6093 6092 4031e8 18 API calls 6091->6092 6092->6084 6093->6091 6136 406a58 6094->6136 6097 406d26 6099 406a58 19 API calls 6097->6099 6101 406d72 6097->6101 6100 406d36 6099->6100 6102 406d42 6100->6102 6105 406a34 21 API calls 6100->6105 6144 406888 6101->6144 6102->6101 6103 406d67 6102->6103 6106 406a58 19 API calls 6102->6106 6103->6101 6156 406cc8 GetWindowsDirectoryA 6103->6156 6105->6102 6109 406d5b 6106->6109 6109->6103 6112 406a34 21 API calls 6109->6112 6110 406638 19 API calls 6111 406d87 6110->6111 6113 40322c 4 API calls 6111->6113 6112->6103 6114 406d91 6113->6114 6115 4031b8 4 API calls 6114->6115 6116 406dab 6115->6116 6116->5978 6118 409244 6117->6118 6119 406638 19 API calls 6118->6119 6120 40925d 6119->6120 6121 40322c 4 API calls 6120->6121 6128 409268 6121->6128 6122 406978 20 API calls 6122->6128 6124 408dd8 18 API calls 6124->6128 6125 4033b4 18 API calls 6125->6128 6126 405890 18 API calls 6126->6128 6128->6122 6128->6124 6128->6125 6128->6126 6129 4092e4 6128->6129 6196 4091b0 6128->6196 6204 409034 6128->6204 6130 40322c 4 API calls 6129->6130 6131 4092ef 6130->6131 6132 4031b8 4 API calls 6131->6132 6133 409309 6132->6133 6134 403198 4 API calls 6133->6134 6135 409311 6134->6135 6135->5978 6137 4034f0 18 API calls 6136->6137 6138 406a6b 6137->6138 6139 406a82 GetEnvironmentVariableA 6138->6139 6143 406a95 6138->6143 6158 406dec 6138->6158 6139->6138 6140 406a8e 6139->6140 6141 403198 4 API calls 6140->6141 6141->6143 6143->6097 6153 406a34 6143->6153 6145 403414 6144->6145 6146 4068ab GetFullPathNameA 6145->6146 6147 4068b7 6146->6147 6148 4068ce 6146->6148 6147->6148 6150 4068bf 6147->6150 6149 40322c 4 API calls 6148->6149 6152 4068cc 6149->6152 6151 403278 18 API calls 6150->6151 6151->6152 6152->6110 6162 4069dc 6153->6162 6157 406ce9 6156->6157 6157->6101 6159 406dfa 6158->6159 6160 4034f0 18 API calls 6159->6160 6161 406e08 6160->6161 6161->6138 6169 406978 6162->6169 6164 4069fe 6165 406a06 GetFileAttributesA 6164->6165 6166 406a1b 6165->6166 6167 403198 4 API calls 6166->6167 6168 406a23 6167->6168 6168->6097 6179 406744 6169->6179 6171 4069b0 6174 4069c6 6171->6174 6175 4069bb 6171->6175 6173 406989 6173->6171 6186 406970 CharPrevA 6173->6186 6187 403454 6174->6187 6177 40322c 4 API calls 6175->6177 6178 4069c4 6177->6178 6178->6164 6182 406755 6179->6182 6180 4067b9 6181 406680 IsDBCSLeadByte 6180->6181 6183 4067b4 6180->6183 6181->6183 6182->6180 6185 406773 6182->6185 6183->6173 6185->6183 6194 406680 IsDBCSLeadByte 6185->6194 6186->6173 6188 403486 6187->6188 6189 403459 6187->6189 6190 403198 4 API calls 6188->6190 6189->6188 6192 40346d 6189->6192 6191 40347c 6190->6191 6191->6178 6193 403278 18 API calls 6192->6193 6193->6191 6195 406694 6194->6195 6195->6185 6197 403198 4 API calls 6196->6197 6199 4091d1 6197->6199 6201 4091fe 6199->6201 6213 4032a8 6199->6213 6216 403494 6199->6216 6202 403198 4 API calls 6201->6202 6203 409213 6202->6203 6203->6128 6205 408f70 2 API calls 6204->6205 6206 40904a 6205->6206 6207 40904e 6206->6207 6220 406a48 6206->6220 6207->6128 6210 409081 6211 408fac Wow64RevertWow64FsRedirection 6210->6211 6212 409089 6211->6212 6212->6128 6214 403278 18 API calls 6213->6214 6215 4032b5 6214->6215 6215->6199 6217 403498 6216->6217 6219 4034c3 6216->6219 6218 4034f0 18 API calls 6217->6218 6218->6219 6219->6199 6221 4069dc 21 API calls 6220->6221 6222 406a52 GetLastError 6221->6222 6222->6210 6224 406744 IsDBCSLeadByte 6223->6224 6226 406835 6224->6226 6225 40687f 6225->5992 6226->6225 6227 406680 IsDBCSLeadByte 6226->6227 6227->6226 6229 4068f3 6228->6229 6230 406820 IsDBCSLeadByte 6229->6230 6233 4068fe 6230->6233 6231 4066ea 6231->5997 6231->5998 6232 406680 IsDBCSLeadByte 6232->6233 6233->6231 6233->6232 6235 406957 6234->6235 6236 40695b 6234->6236 6235->6011 6239 406970 CharPrevA 6236->6239 6238 40696c 6238->6011 6239->6238 6814 408f30 6817 408dfc 6814->6817 6818 408e05 6817->6818 6819 403198 4 API calls 6818->6819 6820 408e13 6818->6820 6819->6818 6821 403932 6822 403924 6821->6822 6823 40374c VariantClear 6822->6823 6824 40392c 6823->6824 5384 4075c4 SetFilePointer 5385 4075f7 5384->5385 5386 4075e7 GetLastError 5384->5386 5386->5385 5387 4075f0 5386->5387 5389 40748c GetLastError 5387->5389 5392 4073ec 5389->5392 5393 407284 19 API calls 5392->5393 5394 407414 5393->5394 5395 407434 5394->5395 5397 405194 33 API calls 5394->5397 5396 405890 18 API calls 5395->5396 5398 407443 5396->5398 5397->5395 5399 403198 4 API calls 5398->5399 5400 407460 5399->5400 5400->5385 6415 4076c8 WriteFile 6416 4076e8 6415->6416 6419 4076ef 6415->6419 6417 40748c 35 API calls 6416->6417 6417->6419 6418 407700 6419->6418 6420 4073ec 34 API calls 6419->6420 6420->6418 6421 402ccc 6424 402cfe 6421->6424 6425 402cdd 6421->6425 6422 402d88 RtlUnwind 6423 403154 4 API calls 6422->6423 6423->6424 6425->6422 6425->6424 6426 402b28 RaiseException 6425->6426 6427 402d7f 6426->6427 6427->6422 6833 403fcd 6834 403f07 4 API calls 6833->6834 6835 403fd6 6834->6835 6836 403e9c 4 API calls 6835->6836 6837 403fe2 6836->6837 6434 4024d0 6435 4024e4 6434->6435 6436 4024e9 6434->6436 6439 401918 4 API calls 6435->6439 6437 402518 6436->6437 6438 40250e RtlEnterCriticalSection 6436->6438 6441 4024ed 6436->6441 6449 402300 6437->6449 6438->6437 6439->6436 6442 402525 6445 402581 6442->6445 6446 402577 RtlLeaveCriticalSection 6442->6446 6444 401fd4 14 API calls 6447 402531 6444->6447 6446->6445 6447->6442 6448 40215c 9 API calls 6447->6448 6448->6442 6450 402314 6449->6450 6452 4023b8 6450->6452 6453 402335 6450->6453 6451 402344 6451->6442 6451->6444 6452->6451 6454 401d80 9 API calls 6452->6454 6457 402455 6452->6457 6459 401e84 6452->6459 6453->6451 6455 401b74 9 API calls 6453->6455 6454->6452 6455->6451 6457->6451 6458 401d00 9 API calls 6457->6458 6458->6451 6464 401768 6459->6464 6461 401e99 6462 401ea6 6461->6462 6463 401dcc 9 API calls 6461->6463 6462->6452 6463->6462 6465 401787 6464->6465 6466 40183b 6465->6466 6467 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6465->6467 6468 40132c LocalAlloc 6465->6468 6470 401821 6465->6470 6472 4017d6 6465->6472 6469 4015c4 VirtualAlloc 6466->6469 6473 4017e7 6466->6473 6467->6465 6468->6465 6469->6473 6471 40150c VirtualFree 6470->6471 6471->6473 6474 40150c VirtualFree 6472->6474 6473->6461 6474->6473 6475 4028d2 6476 4028da 6475->6476 6477 403554 4 API calls 6476->6477 6478 4028ef 6476->6478 6477->6476 6479 4025ac 4 API calls 6478->6479 6480 4028f4 6479->6480 6838 4019d3 6839 4019ba 6838->6839 6840 4019c3 RtlLeaveCriticalSection 6839->6840 6841 4019cd 6839->6841 6840->6841 5401 407fd4 5402 407fe6 5401->5402 5404 407fed 5401->5404 5412 407f10 5402->5412 5405 408021 5404->5405 5407 408015 5404->5407 5408 408017 5404->5408 5406 40804e 5405->5406 5410 407d7c 33 API calls 5405->5410 5426 407e2c 5407->5426 5423 407d7c 5408->5423 5410->5406 5413 407f25 5412->5413 5414 407d7c 33 API calls 5413->5414 5415 407f34 5413->5415 5414->5415 5416 407f6e 5415->5416 5418 407d7c 33 API calls 5415->5418 5417 407f82 5416->5417 5419 407d7c 33 API calls 5416->5419 5422 407fae 5417->5422 5433 407eb8 5417->5433 5418->5416 5419->5417 5422->5404 5436 4058c4 5423->5436 5425 407d9e 5425->5405 5427 405194 33 API calls 5426->5427 5428 407e57 5427->5428 5444 407de4 5428->5444 5430 407e5f 5431 403198 4 API calls 5430->5431 5432 407e74 5431->5432 5432->5405 5434 407ec7 VirtualFree 5433->5434 5435 407ed9 VirtualAlloc 5433->5435 5434->5435 5435->5422 5438 4058d0 5436->5438 5437 405194 33 API calls 5439 4058fd 5437->5439 5438->5437 5440 4031e8 18 API calls 5439->5440 5441 405908 5440->5441 5442 403198 4 API calls 5441->5442 5443 40591d 5442->5443 5443->5425 5445 4058c4 33 API calls 5444->5445 5446 407e06 5445->5446 5446->5430 6481 405ad4 6482 405ae4 6481->6482 6483 405adc 6481->6483 6484 405ae2 6483->6484 6485 405aeb 6483->6485 6488 405a4c 6484->6488 6486 405940 19 API calls 6485->6486 6486->6482 6489 405a54 6488->6489 6490 405a6e 6489->6490 6491 403154 4 API calls 6489->6491 6492 405a73 6490->6492 6493 405a8a 6490->6493 6491->6489 6494 405940 19 API calls 6492->6494 6495 403154 4 API calls 6493->6495 6496 405a86 6494->6496 6497 405a8f 6495->6497 6499 403154 4 API calls 6496->6499 6498 4059b0 33 API calls 6497->6498 6498->6496 6500 405ab8 6499->6500 6501 403154 4 API calls 6500->6501 6502 405ac6 6501->6502 6502->6482 5914 40a9de 5915 40aa03 5914->5915 5916 407918 InterlockedExchange 5915->5916 5917 40aa2d 5916->5917 5918 40aa3d 5917->5918 5919 409ae8 18 API calls 5917->5919 5924 4076ac SetEndOfFile 5918->5924 5919->5918 5921 40aa59 5922 4025ac 4 API calls 5921->5922 5923 40aa90 5922->5923 5925 4076c3 5924->5925 5926 4076bc 5924->5926 5925->5921 5927 40748c 35 API calls 5926->5927 5927->5925 6845 402be9 RaiseException 6846 402c04 6845->6846 6513 402af2 6514 402afe 6513->6514 6517 402ed0 6514->6517 6518 403154 4 API calls 6517->6518 6520 402ee0 6518->6520 6519 402b03 6520->6519 6522 402b0c 6520->6522 6523 402b25 6522->6523 6524 402b15 RaiseException 6522->6524 6523->6519 6524->6523 5452 40a5f8 5495 4030dc 5452->5495 5454 40a60e 5498 4042e8 5454->5498 5456 40a613 5501 40457c GetModuleHandleA GetProcAddress 5456->5501 5460 40a61d 5509 4065c8 5460->5509 5462 40a622 5518 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5462->5518 5469 40a665 5540 406c2c 5469->5540 5473 4031e8 18 API calls 5474 40a683 5473->5474 5554 4074e0 5474->5554 5480 407918 InterlockedExchange 5482 40a6d2 5480->5482 5481 40a710 5574 4074a0 5481->5574 5482->5481 5611 409ae8 5482->5611 5484 40a751 5578 407a28 5484->5578 5485 40a736 5485->5484 5486 409ae8 18 API calls 5485->5486 5486->5484 5488 40a776 5588 408b08 5488->5588 5492 40a7bc 5493 408b08 35 API calls 5492->5493 5494 40a7f5 5492->5494 5493->5492 5621 403094 5495->5621 5497 4030e1 GetModuleHandleA GetCommandLineA 5497->5454 5499 403154 4 API calls 5498->5499 5500 404323 5498->5500 5499->5500 5500->5456 5502 404598 5501->5502 5503 40459f GetProcAddress 5501->5503 5502->5503 5504 4045b5 GetProcAddress 5503->5504 5505 4045ae 5503->5505 5506 4045c4 SetProcessDEPPolicy 5504->5506 5507 4045c8 5504->5507 5505->5504 5506->5507 5508 404624 6F0F1CD0 5507->5508 5508->5460 5622 405ca8 5509->5622 5519 4090f7 5518->5519 5706 406fa0 SetErrorMode 5519->5706 5522 407284 19 API calls 5523 409127 5522->5523 5524 403198 4 API calls 5523->5524 5525 40913c 5524->5525 5526 409b78 GetSystemInfo VirtualQuery 5525->5526 5527 409c2c 5526->5527 5530 409ba2 5526->5530 5532 409768 5527->5532 5528 409c0d VirtualQuery 5528->5527 5528->5530 5529 409bcc VirtualProtect 5529->5530 5530->5527 5530->5528 5530->5529 5531 409bfb VirtualProtect 5530->5531 5531->5528 5712 406bd0 GetCommandLineA 5532->5712 5534 409850 5535 4031b8 4 API calls 5534->5535 5537 40986a 5535->5537 5536 406c2c 20 API calls 5539 409785 5536->5539 5537->5469 5604 409c88 5537->5604 5538 403454 18 API calls 5538->5539 5539->5534 5539->5536 5539->5538 5541 406c53 GetModuleFileNameA 5540->5541 5542 406c77 GetCommandLineA 5540->5542 5543 403278 18 API calls 5541->5543 5550 406c7c 5542->5550 5544 406c75 5543->5544 5548 406ca4 5544->5548 5545 406c81 5546 403198 4 API calls 5545->5546 5549 406c89 5546->5549 5547 406af0 18 API calls 5547->5550 5551 403198 4 API calls 5548->5551 5552 40322c 4 API calls 5549->5552 5550->5545 5550->5547 5550->5549 5553 406cb9 5551->5553 5552->5548 5553->5473 5555 4074ea 5554->5555 5719 407576 5555->5719 5722 407578 5555->5722 5556 407516 5557 40752a 5556->5557 5558 40748c 35 API calls 5556->5558 5561 409c34 FindResourceA 5557->5561 5558->5557 5562 409c49 5561->5562 5563 409c4e SizeofResource 5561->5563 5564 409ae8 18 API calls 5562->5564 5565 409c60 LoadResource 5563->5565 5566 409c5b 5563->5566 5564->5563 5568 409c73 LockResource 5565->5568 5569 409c6e 5565->5569 5567 409ae8 18 API calls 5566->5567 5567->5565 5571 409c84 5568->5571 5572 409c7f 5568->5572 5570 409ae8 18 API calls 5569->5570 5570->5568 5571->5480 5571->5482 5573 409ae8 18 API calls 5572->5573 5573->5571 5576 4074b4 5574->5576 5575 4074c4 5575->5485 5576->5575 5577 4073ec 34 API calls 5576->5577 5577->5575 5579 407a35 5578->5579 5580 405890 18 API calls 5579->5580 5581 407a89 5579->5581 5580->5581 5582 407918 InterlockedExchange 5581->5582 5583 407a9b 5582->5583 5584 405890 18 API calls 5583->5584 5585 407ab1 5583->5585 5584->5585 5586 405890 18 API calls 5585->5586 5587 407af4 5585->5587 5586->5587 5587->5488 5593 408b82 5588->5593 5595 408b39 5588->5595 5589 408bcd 5725 407cb8 5589->5725 5591 4034f0 18 API calls 5591->5595 5592 408be4 5596 4031b8 4 API calls 5592->5596 5593->5589 5594 4034f0 18 API calls 5593->5594 5600 403420 18 API calls 5593->5600 5601 4031e8 18 API calls 5593->5601 5603 407cb8 35 API calls 5593->5603 5594->5593 5595->5591 5595->5593 5597 403420 18 API calls 5595->5597 5598 4031e8 18 API calls 5595->5598 5602 407cb8 35 API calls 5595->5602 5599 408bfe 5596->5599 5597->5595 5598->5595 5618 404c20 5599->5618 5600->5593 5601->5593 5602->5595 5603->5593 5605 40322c 4 API calls 5604->5605 5606 409cab 5605->5606 5607 409cba MessageBoxA 5606->5607 5608 409ccf 5607->5608 5609 403198 4 API calls 5608->5609 5610 409cd7 5609->5610 5610->5469 5612 409af1 5611->5612 5613 409b09 5611->5613 5615 405890 18 API calls 5612->5615 5614 405890 18 API calls 5613->5614 5616 409b1a 5614->5616 5617 409b03 5615->5617 5616->5481 5617->5481 5747 402594 5618->5747 5620 404c2b 5620->5492 5621->5497 5623 405940 19 API calls 5622->5623 5624 405cb9 5623->5624 5625 405280 GetSystemDefaultLCID 5624->5625 5629 4052b6 5625->5629 5626 404cdc 19 API calls 5626->5629 5627 40520c 19 API calls 5627->5629 5628 4031e8 18 API calls 5628->5629 5629->5626 5629->5627 5629->5628 5630 405318 5629->5630 5631 40520c 19 API calls 5630->5631 5632 4031e8 18 API calls 5630->5632 5633 404cdc 19 API calls 5630->5633 5634 40539b 5630->5634 5631->5630 5632->5630 5633->5630 5635 4031b8 4 API calls 5634->5635 5636 4053b5 5635->5636 5637 4053c4 GetSystemDefaultLCID 5636->5637 5694 40520c GetLocaleInfoA 5637->5694 5640 4031e8 18 API calls 5641 405404 5640->5641 5642 40520c 19 API calls 5641->5642 5643 405419 5642->5643 5644 40520c 19 API calls 5643->5644 5645 40543d 5644->5645 5700 405258 GetLocaleInfoA 5645->5700 5648 405258 GetLocaleInfoA 5649 40546d 5648->5649 5650 40520c 19 API calls 5649->5650 5651 405487 5650->5651 5652 405258 GetLocaleInfoA 5651->5652 5653 4054a4 5652->5653 5654 40520c 19 API calls 5653->5654 5655 4054be 5654->5655 5656 4031e8 18 API calls 5655->5656 5657 4054cb 5656->5657 5658 40520c 19 API calls 5657->5658 5659 4054e0 5658->5659 5660 4031e8 18 API calls 5659->5660 5661 4054ed 5660->5661 5662 405258 GetLocaleInfoA 5661->5662 5663 4054fb 5662->5663 5664 40520c 19 API calls 5663->5664 5665 405515 5664->5665 5666 4031e8 18 API calls 5665->5666 5667 405522 5666->5667 5668 40520c 19 API calls 5667->5668 5669 405537 5668->5669 5670 4031e8 18 API calls 5669->5670 5671 405544 5670->5671 5672 40520c 19 API calls 5671->5672 5673 405559 5672->5673 5674 405576 5673->5674 5675 405567 5673->5675 5677 40322c 4 API calls 5674->5677 5702 40322c 5675->5702 5678 405574 5677->5678 5679 40520c 19 API calls 5678->5679 5680 405598 5679->5680 5681 4055b5 5680->5681 5682 4055a6 5680->5682 5684 403198 4 API calls 5681->5684 5683 40322c 4 API calls 5682->5683 5685 4055b3 5683->5685 5684->5685 5686 4033b4 18 API calls 5685->5686 5687 4055d7 5686->5687 5688 4033b4 18 API calls 5687->5688 5689 4055f1 5688->5689 5690 4031b8 4 API calls 5689->5690 5691 40560b 5690->5691 5692 405cf4 GetVersionExA 5691->5692 5693 405d0b 5692->5693 5693->5462 5695 405233 5694->5695 5696 405245 5694->5696 5697 403278 18 API calls 5695->5697 5698 40322c 4 API calls 5696->5698 5699 405243 5697->5699 5698->5699 5699->5640 5701 405274 5700->5701 5701->5648 5704 403230 5702->5704 5703 403252 5703->5678 5704->5703 5705 4025ac 4 API calls 5704->5705 5705->5703 5710 403414 5706->5710 5709 406fee 5709->5522 5711 403418 LoadLibraryA 5710->5711 5711->5709 5713 406af0 18 API calls 5712->5713 5714 406bf3 5713->5714 5715 406c05 5714->5715 5716 406af0 18 API calls 5714->5716 5717 403198 4 API calls 5715->5717 5716->5714 5718 406c1a 5717->5718 5718->5539 5720 407578 5719->5720 5721 4075b7 CreateFileA 5720->5721 5721->5556 5723 403414 5722->5723 5724 4075b7 CreateFileA 5723->5724 5724->5556 5726 407cd3 5725->5726 5730 407cc8 5725->5730 5731 407c5c 5726->5731 5729 405890 18 API calls 5729->5730 5730->5592 5732 407c70 5731->5732 5733 407caf 5731->5733 5732->5733 5735 407bac 5732->5735 5733->5729 5733->5730 5736 407bb7 5735->5736 5737 407bc8 5735->5737 5738 405890 18 API calls 5736->5738 5739 4074a0 34 API calls 5737->5739 5738->5737 5740 407bdc 5739->5740 5741 4074a0 34 API calls 5740->5741 5742 407bfd 5741->5742 5743 407918 InterlockedExchange 5742->5743 5744 407c12 5743->5744 5745 407c28 5744->5745 5746 405890 18 API calls 5744->5746 5745->5732 5746->5745 5748 402598 5747->5748 5750 4025a2 5747->5750 5753 401fd4 5748->5753 5749 40259e 5749->5750 5751 403154 4 API calls 5749->5751 5750->5620 5750->5750 5751->5750 5754 401fe8 5753->5754 5755 401fed 5753->5755 5764 401918 RtlInitializeCriticalSection 5754->5764 5757 402012 RtlEnterCriticalSection 5755->5757 5758 40201c 5755->5758 5761 401ff1 5755->5761 5757->5758 5758->5761 5771 401ee0 5758->5771 5761->5749 5762 402147 5762->5749 5763 40213d RtlLeaveCriticalSection 5763->5762 5765 40193c RtlEnterCriticalSection 5764->5765 5766 401946 5764->5766 5765->5766 5767 401964 LocalAlloc 5766->5767 5768 40197e 5767->5768 5769 4019c3 RtlLeaveCriticalSection 5768->5769 5770 4019cd 5768->5770 5769->5770 5770->5755 5774 401ef0 5771->5774 5772 401f1c 5776 401f40 5772->5776 5782 401d00 5772->5782 5774->5772 5774->5776 5777 401e58 5774->5777 5776->5762 5776->5763 5786 4016d8 5777->5786 5780 401e75 5780->5774 5783 401d4e 5782->5783 5784 401d1e 5782->5784 5783->5784 5855 401c68 5783->5855 5784->5776 5789 4016f4 5786->5789 5788 4016fe 5811 4015c4 5788->5811 5789->5788 5791 40175b 5789->5791 5794 40174f 5789->5794 5803 401430 5789->5803 5815 40132c 5789->5815 5791->5780 5796 401dcc 5791->5796 5793 40170a 5793->5791 5819 40150c 5794->5819 5829 401d80 5796->5829 5799 40132c LocalAlloc 5801 401df0 5799->5801 5800 401df8 5800->5780 5801->5800 5833 401b44 5801->5833 5804 40143f VirtualAlloc 5803->5804 5806 40146c 5804->5806 5807 40148f 5804->5807 5823 4012e4 5806->5823 5807->5789 5810 40147c VirtualFree 5810->5807 5813 40160a 5811->5813 5812 40163a 5812->5793 5813->5812 5814 401626 VirtualAlloc 5813->5814 5814->5812 5814->5813 5816 401348 5815->5816 5817 4012e4 LocalAlloc 5816->5817 5818 40138f 5817->5818 5818->5789 5822 40153b 5819->5822 5820 401594 5820->5791 5821 401568 VirtualFree 5821->5822 5822->5820 5822->5821 5826 40128c 5823->5826 5827 401298 LocalAlloc 5826->5827 5828 4012aa 5826->5828 5827->5828 5828->5807 5828->5810 5830 401d89 5829->5830 5831 401d92 5829->5831 5830->5831 5838 401b74 5830->5838 5831->5799 5834 401b61 5833->5834 5835 401b52 5833->5835 5834->5800 5836 401d00 9 API calls 5835->5836 5837 401b5f 5836->5837 5837->5800 5841 40215c 5838->5841 5840 401b95 5840->5831 5842 40217a 5841->5842 5843 402175 5841->5843 5845 4021ab RtlEnterCriticalSection 5842->5845 5848 40217e 5842->5848 5853 4021b5 5842->5853 5844 401918 4 API calls 5843->5844 5844->5842 5845->5853 5846 4021c1 5849 4022e3 RtlLeaveCriticalSection 5846->5849 5850 4022ed 5846->5850 5847 402244 5847->5848 5851 401d80 7 API calls 5847->5851 5848->5840 5849->5850 5850->5840 5851->5848 5852 402270 5852->5846 5854 401d00 7 API calls 5852->5854 5853->5846 5853->5847 5853->5852 5854->5846 5856 401c7a 5855->5856 5857 401c9d 5856->5857 5858 401caf 5856->5858 5868 40188c 5857->5868 5860 40188c 3 API calls 5858->5860 5861 401cad 5860->5861 5862 401b44 9 API calls 5861->5862 5867 401cc5 5861->5867 5863 401cd4 5862->5863 5864 401cee 5863->5864 5878 401b98 5863->5878 5883 4013a0 5864->5883 5867->5784 5869 4018b2 5868->5869 5877 40190b 5868->5877 5887 401658 5869->5887 5872 40132c LocalAlloc 5873 4018cf 5872->5873 5874 4018e6 5873->5874 5875 40150c VirtualFree 5873->5875 5876 4013a0 LocalAlloc 5874->5876 5874->5877 5875->5874 5876->5877 5877->5861 5879 401bab 5878->5879 5880 401b9d 5878->5880 5879->5864 5881 401b74 9 API calls 5880->5881 5882 401baa 5881->5882 5882->5864 5884 4013ab 5883->5884 5885 4012e4 LocalAlloc 5884->5885 5886 4013c6 5884->5886 5885->5886 5886->5867 5888 40168f 5887->5888 5889 4016cf 5888->5889 5890 4016a9 VirtualFree 5888->5890 5889->5872 5890->5888 6847 402dfa 6848 402e0d 6847->6848 6850 402e26 6847->6850 6851 402ba4 6848->6851 6852 402bc9 6851->6852 6853 402bad 6851->6853 6852->6850 6854 402bb5 RaiseException 6853->6854 6854->6852 6855 4075fa GetFileSize 6856 407626 6855->6856 6857 407616 GetLastError 6855->6857 6857->6856 6858 40761f 6857->6858 6859 40748c 35 API calls 6858->6859 6859->6856 6860 406ffb 6861 407008 SetErrorMode 6860->6861 6529 403a80 CloseHandle 6530 403a90 6529->6530 6531 403a91 GetLastError 6529->6531 6532 404283 6533 4042c3 6532->6533 6534 403154 4 API calls 6533->6534 6535 404323 6534->6535 6862 404185 6863 4041ff 6862->6863 6864 403154 4 API calls 6863->6864 6865 4041cc 6863->6865 6866 404323 6864->6866 6536 403e87 6537 403e4c 6536->6537 6538 403e62 6537->6538 6539 403e7b 6537->6539 6542 403e67 6537->6542 6545 403cc8 6538->6545 6540 402674 4 API calls 6539->6540 6543 403e78 6540->6543 6542->6543 6549 402674 6542->6549 6546 403cd6 6545->6546 6547 402674 4 API calls 6546->6547 6548 403ceb 6546->6548 6547->6548 6548->6542 6550 403154 4 API calls 6549->6550 6551 40267a 6550->6551 6551->6543 6560 407e90 6561 407eb8 VirtualFree 6560->6561 6562 407e9d 6561->6562 6565 403e95 6566 403e4c 6565->6566 6567 403e62 6566->6567 6568 403e7b 6566->6568 6571 403e67 6566->6571 6570 403cc8 4 API calls 6567->6570 6569 402674 4 API calls 6568->6569 6572 403e78 6569->6572 6570->6571 6571->6572 6573 402674 4 API calls 6571->6573 6573->6572 6574 40ac97 6583 4096fc 6574->6583 6577 402f24 5 API calls 6578 40aca1 6577->6578 6579 403198 4 API calls 6578->6579 6580 40acc0 6579->6580 6581 403198 4 API calls 6580->6581 6582 40acc8 6581->6582 6592 4056ac 6583->6592 6585 409745 6588 403198 4 API calls 6585->6588 6586 409717 6586->6585 6598 40720c 6586->6598 6590 40975a 6588->6590 6589 409735 6591 40973d MessageBoxA 6589->6591 6590->6577 6590->6578 6591->6585 6593 403154 4 API calls 6592->6593 6594 4056b1 6593->6594 6595 4056c9 6594->6595 6596 403154 4 API calls 6594->6596 6595->6586 6597 4056bf 6596->6597 6597->6586 6599 4056ac 4 API calls 6598->6599 6600 40721b 6599->6600 6601 407221 6600->6601 6603 40722f 6600->6603 6602 40322c 4 API calls 6601->6602 6604 40722d 6602->6604 6605 40724b 6603->6605 6606 40723f 6603->6606 6604->6589 6616 4032b8 6605->6616 6609 4071d0 6606->6609 6610 40322c 4 API calls 6609->6610 6611 4071df 6610->6611 6612 4071fc 6611->6612 6613 406950 CharPrevA 6611->6613 6612->6604 6614 4071eb 6613->6614 6614->6612 6615 4032fc 18 API calls 6614->6615 6615->6612 6617 403278 18 API calls 6616->6617 6618 4032c2 6617->6618 6618->6604 6619 403a97 6620 403aac 6619->6620 6621 403ab2 6620->6621 6622 403bbc GetStdHandle 6620->6622 6623 403b0e CreateFileA 6620->6623 6624 403c17 GetLastError 6622->6624 6636 403bba 6622->6636 6623->6624 6625 403b2c 6623->6625 6624->6621 6627 403b3b GetFileSize 6625->6627 6625->6636 6627->6624 6628 403b4e SetFilePointer 6627->6628 6628->6624 6632 403b6a ReadFile 6628->6632 6629 403be7 GetFileType 6629->6621 6631 403c02 CloseHandle 6629->6631 6631->6621 6632->6624 6633 403b8c 6632->6633 6634 403b9f SetFilePointer 6633->6634 6633->6636 6634->6624 6635 403bb0 SetEndOfFile 6634->6635 6635->6624 6635->6636 6636->6621 6636->6629 6641 40aaa2 6642 40aad2 6641->6642 6643 40aadc CreateWindowExA SetWindowLongA 6642->6643 6644 405194 33 API calls 6643->6644 6645 40ab5f 6644->6645 6646 4032fc 18 API calls 6645->6646 6647 40ab6d 6646->6647 6648 4032fc 18 API calls 6647->6648 6649 40ab7a 6648->6649 6650 406b7c 19 API calls 6649->6650 6651 40ab86 6650->6651 6652 4032fc 18 API calls 6651->6652 6653 40ab8f 6652->6653 6654 4099ec 43 API calls 6653->6654 6655 40aba1 6654->6655 6656 4098cc 19 API calls 6655->6656 6657 40abb4 6655->6657 6656->6657 6658 40abed 6657->6658 6659 4094d8 9 API calls 6657->6659 6660 40ac06 6658->6660 6663 40ac00 RemoveDirectoryA 6658->6663 6659->6658 6661 40ac1a 6660->6661 6662 40ac0f DestroyWindow 6660->6662 6664 40ac42 6661->6664 6665 40357c 4 API calls 6661->6665 6662->6661 6663->6660 6666 40ac38 6665->6666 6667 4025ac 4 API calls 6666->6667 6667->6664 6879 405ba2 6881 405ba4 6879->6881 6880 405be0 6882 405940 19 API calls 6880->6882 6881->6880 6883 405bf7 6881->6883 6884 405bda 6881->6884 6892 405bf3 6882->6892 6887 404cdc 19 API calls 6883->6887 6884->6880 6885 405c4c 6884->6885 6886 4059b0 33 API calls 6885->6886 6886->6892 6889 405c20 6887->6889 6888 403198 4 API calls 6890 405c86 6888->6890 6891 4059b0 33 API calls 6889->6891 6891->6892 6892->6888 6893 408da4 6894 408dc8 6893->6894 6895 408c80 18 API calls 6894->6895 6896 408dd1 6895->6896 6668 402caa 6669 403154 4 API calls 6668->6669 6670 402caf 6669->6670 6911 4011aa 6912 4011ac GetStdHandle 6911->6912 6671 4028ac 6672 402594 18 API calls 6671->6672 6673 4028b6 6672->6673 4983 40aab4 4984 40aab8 SetLastError 4983->4984 5015 409648 GetLastError 4984->5015 4988 40aad2 4989 40aadc CreateWindowExA SetWindowLongA 4988->4989 5028 405194 4989->5028 4993 40ab6d 4994 4032fc 18 API calls 4993->4994 4995 40ab7a 4994->4995 5045 406b7c GetCommandLineA 4995->5045 4998 4032fc 18 API calls 4999 40ab8f 4998->4999 5050 4099ec 4999->5050 5001 40aba1 5003 40abb4 5001->5003 5071 4098cc 5001->5071 5004 40abd4 5003->5004 5005 40abed 5003->5005 5077 4094d8 5004->5077 5007 40ac06 5005->5007 5010 40ac00 RemoveDirectoryA 5005->5010 5008 40ac1a 5007->5008 5009 40ac0f DestroyWindow 5007->5009 5014 40ac42 5008->5014 5085 40357c 5008->5085 5009->5008 5010->5007 5012 40ac38 5098 4025ac 5012->5098 5102 404c94 5015->5102 5023 4096c3 5117 4031b8 5023->5117 5029 4051a8 33 API calls 5028->5029 5030 4051a3 5029->5030 5031 4032fc 5030->5031 5032 403300 5031->5032 5033 40333f 5031->5033 5034 4031e8 5032->5034 5035 40330a 5032->5035 5033->4993 5041 403254 18 API calls 5034->5041 5042 4031fc 5034->5042 5036 403334 5035->5036 5037 40331d 5035->5037 5038 4034f0 18 API calls 5036->5038 5278 4034f0 5037->5278 5044 403322 5038->5044 5039 403228 5039->4993 5041->5042 5042->5039 5043 4025ac 4 API calls 5042->5043 5043->5039 5044->4993 5304 406af0 5045->5304 5047 406ba1 5048 403198 4 API calls 5047->5048 5049 406bbf 5048->5049 5049->4998 5318 4033b4 5050->5318 5052 409a27 5053 409a59 CreateProcessA 5052->5053 5054 409a65 5053->5054 5055 409a6c CloseHandle 5053->5055 5056 409648 35 API calls 5054->5056 5057 409a75 5055->5057 5056->5055 5058 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5057->5058 5059 409a7a MsgWaitForMultipleObjects 5058->5059 5059->5057 5060 409a91 5059->5060 5061 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5060->5061 5062 409a96 GetExitCodeProcess CloseHandle 5061->5062 5063 409ab6 5062->5063 5064 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5063->5064 5065 409abe 5064->5065 5065->5001 5066 402f24 5067 403154 4 API calls 5066->5067 5068 402f29 5067->5068 5324 402bcc 5068->5324 5070 402f51 5070->5070 5072 40990e 5071->5072 5073 4098d4 5071->5073 5072->5003 5073->5072 5074 403420 18 API calls 5073->5074 5075 409908 5074->5075 5327 408e80 5075->5327 5078 409532 5077->5078 5082 4094eb 5077->5082 5078->5005 5079 4094f3 Sleep 5079->5082 5080 409503 Sleep 5080->5082 5082->5078 5082->5079 5082->5080 5083 40951a GetLastError 5082->5083 5350 408fbc 5082->5350 5083->5078 5084 409524 GetLastError 5083->5084 5084->5078 5084->5082 5086 403591 5085->5086 5087 4035a0 5085->5087 5090 4035d0 5086->5090 5091 40359b 5086->5091 5095 4035b6 5086->5095 5088 4035b1 5087->5088 5089 4035b8 5087->5089 5092 403198 4 API calls 5088->5092 5093 4031b8 4 API calls 5089->5093 5090->5095 5096 40357c 4 API calls 5090->5096 5091->5087 5094 4035ec 5091->5094 5092->5095 5093->5095 5094->5095 5367 403554 5094->5367 5095->5012 5096->5090 5099 4025b0 5098->5099 5101 4025ba 5098->5101 5100 403154 4 API calls 5099->5100 5099->5101 5100->5101 5101->5014 5125 4051a8 5102->5125 5105 407284 FormatMessageA 5106 4072aa 5105->5106 5107 403278 18 API calls 5106->5107 5108 4072c7 5107->5108 5109 408da8 5108->5109 5110 408dc8 5109->5110 5268 408c80 5110->5268 5113 405890 5114 405897 5113->5114 5115 4031e8 18 API calls 5114->5115 5116 4058af 5115->5116 5116->5023 5119 4031be 5117->5119 5118 4031e3 5121 403198 5118->5121 5119->5118 5120 4025ac 4 API calls 5119->5120 5120->5119 5122 4031b7 5121->5122 5123 40319e 5121->5123 5122->4988 5122->5066 5123->5122 5124 4025ac 4 API calls 5123->5124 5124->5122 5126 4051c5 5125->5126 5133 404e58 5126->5133 5129 4051f1 5138 403278 5129->5138 5135 404e73 5133->5135 5134 404e85 5134->5129 5143 404be4 5134->5143 5135->5134 5146 404f7a 5135->5146 5153 404e4c 5135->5153 5139 403254 18 API calls 5138->5139 5140 403288 5139->5140 5141 403198 4 API calls 5140->5141 5142 4032a0 5141->5142 5142->5105 5260 405940 5143->5260 5145 404bf5 5145->5129 5147 404f8b 5146->5147 5152 404fd9 5146->5152 5150 40505f 5147->5150 5147->5152 5149 404ff7 5149->5135 5150->5149 5160 404e38 5150->5160 5152->5149 5156 404df4 5152->5156 5154 403198 4 API calls 5153->5154 5155 404e56 5154->5155 5155->5135 5157 404e02 5156->5157 5163 404bfc 5157->5163 5159 404e30 5159->5152 5190 4039a4 5160->5190 5166 4059b0 5163->5166 5165 404c15 5165->5159 5167 4059be 5166->5167 5176 404cdc LoadStringA 5167->5176 5170 405194 33 API calls 5171 4059f6 5170->5171 5179 4031e8 5171->5179 5174 4031b8 4 API calls 5175 405a1b 5174->5175 5175->5165 5177 403278 18 API calls 5176->5177 5178 404d09 5177->5178 5178->5170 5180 4031ec 5179->5180 5183 4031fc 5179->5183 5180->5183 5185 403254 5180->5185 5181 403228 5181->5174 5183->5181 5184 4025ac 4 API calls 5183->5184 5184->5181 5186 403274 5185->5186 5187 403258 5185->5187 5186->5183 5188 402594 18 API calls 5187->5188 5189 403261 5188->5189 5189->5183 5191 4039ab 5190->5191 5196 4038b4 5191->5196 5193 4039cb 5194 403198 4 API calls 5193->5194 5195 4039d2 5194->5195 5195->5149 5197 4038d5 5196->5197 5198 4038c8 5196->5198 5200 403934 5197->5200 5201 4038db 5197->5201 5224 403780 5198->5224 5202 403993 5200->5202 5203 40393b 5200->5203 5204 4038e1 5201->5204 5205 4038ee 5201->5205 5207 4037f4 3 API calls 5202->5207 5208 403941 5203->5208 5209 40394b 5203->5209 5231 403894 5204->5231 5206 403894 6 API calls 5205->5206 5212 4038fc 5206->5212 5210 4038d0 5207->5210 5246 403864 5208->5246 5214 4037f4 3 API calls 5209->5214 5210->5193 5236 4037f4 5212->5236 5215 40395d 5214->5215 5217 403864 23 API calls 5215->5217 5219 403976 5217->5219 5218 403917 5242 40374c 5218->5242 5221 40374c VariantClear 5219->5221 5223 40398b 5221->5223 5222 40392c 5222->5193 5223->5193 5225 4037f0 5224->5225 5230 403744 5224->5230 5225->5210 5226 4037ab 5226->5210 5227 403793 VariantClear 5227->5230 5228 4037dc VariantCopyInd 5228->5225 5228->5230 5229 403198 4 API calls 5229->5230 5230->5224 5230->5226 5230->5227 5230->5228 5230->5229 5251 4036b8 5231->5251 5234 40374c VariantClear 5235 4038a9 5234->5235 5235->5210 5237 403845 VariantChangeTypeEx 5236->5237 5238 40380a VariantChangeTypeEx 5236->5238 5239 403832 5237->5239 5240 403826 5238->5240 5239->5218 5241 40374c VariantClear 5240->5241 5241->5239 5243 403766 5242->5243 5244 403759 5242->5244 5243->5222 5244->5243 5245 403779 VariantClear 5244->5245 5245->5222 5257 40369c SysStringLen 5246->5257 5249 40374c VariantClear 5250 403882 5249->5250 5250->5210 5252 4036cb 5251->5252 5253 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5252->5253 5254 4036db 5252->5254 5255 40372e 5253->5255 5256 4036ed MultiByteToWideChar SysAllocStringLen 5254->5256 5255->5234 5256->5255 5258 403610 21 API calls 5257->5258 5259 4036b3 5258->5259 5259->5249 5261 40594c 5260->5261 5262 404cdc 19 API calls 5261->5262 5263 405972 5262->5263 5264 4031e8 18 API calls 5263->5264 5265 40597d 5264->5265 5266 403198 4 API calls 5265->5266 5267 405992 5266->5267 5267->5145 5269 403198 4 API calls 5268->5269 5271 408cb1 5268->5271 5269->5271 5270 4031b8 4 API calls 5272 408d69 5270->5272 5273 408cc8 5271->5273 5274 403278 18 API calls 5271->5274 5276 4032fc 18 API calls 5271->5276 5277 408cdc 5271->5277 5272->5113 5275 4032fc 18 API calls 5273->5275 5274->5271 5275->5277 5276->5271 5277->5270 5279 4034fd 5278->5279 5286 40352d 5278->5286 5280 403526 5279->5280 5282 403509 5279->5282 5283 403254 18 API calls 5280->5283 5281 403198 4 API calls 5284 403517 5281->5284 5287 4025c4 5282->5287 5283->5286 5284->5044 5286->5281 5288 4025ca 5287->5288 5289 4025dc 5288->5289 5291 403154 5288->5291 5289->5284 5289->5289 5292 403164 5291->5292 5293 40318c TlsGetValue 5291->5293 5292->5289 5294 403196 5293->5294 5295 40316f 5293->5295 5294->5289 5299 40310c 5295->5299 5297 403174 TlsGetValue 5298 403184 5297->5298 5298->5289 5300 403120 LocalAlloc 5299->5300 5301 403116 5299->5301 5302 40313e TlsSetValue 5300->5302 5303 403132 5300->5303 5301->5300 5302->5303 5303->5297 5305 406b1c 5304->5305 5306 403278 18 API calls 5305->5306 5307 406b29 5306->5307 5314 403420 5307->5314 5309 406b31 5310 4031e8 18 API calls 5309->5310 5311 406b49 5310->5311 5312 403198 4 API calls 5311->5312 5313 406b6b 5312->5313 5313->5047 5315 403426 5314->5315 5317 403437 5314->5317 5316 403254 18 API calls 5315->5316 5315->5317 5316->5317 5317->5309 5319 4033bc 5318->5319 5320 403254 18 API calls 5319->5320 5321 4033cf 5320->5321 5322 4031e8 18 API calls 5321->5322 5323 4033f7 5322->5323 5325 402bd5 RaiseException 5324->5325 5326 402be6 5324->5326 5325->5326 5326->5070 5328 408e8e 5327->5328 5330 408ea6 5328->5330 5340 408e18 5328->5340 5331 408e18 18 API calls 5330->5331 5332 408eca 5330->5332 5331->5332 5343 407918 5332->5343 5334 408ee5 5335 408e18 18 API calls 5334->5335 5337 408ef8 5334->5337 5335->5337 5336 408e18 18 API calls 5336->5337 5337->5336 5338 403278 18 API calls 5337->5338 5339 408f27 5337->5339 5338->5337 5339->5072 5341 405890 18 API calls 5340->5341 5342 408e29 5341->5342 5342->5330 5346 4078c4 5343->5346 5347 4078d6 5346->5347 5348 4078e7 5346->5348 5349 4078db InterlockedExchange 5347->5349 5348->5334 5349->5348 5358 408f70 5350->5358 5352 408fd6 5352->5082 5353 408fd2 5353->5352 5354 408ff2 DeleteFileA GetLastError 5353->5354 5355 409010 5354->5355 5364 408fac 5355->5364 5359 408f7a 5358->5359 5360 408f7e 5358->5360 5359->5353 5361 408fa0 SetLastError 5360->5361 5362 408f87 Wow64DisableWow64FsRedirection 5360->5362 5363 408f9b 5361->5363 5362->5363 5363->5353 5365 408fb1 Wow64RevertWow64FsRedirection 5364->5365 5366 408fbb 5364->5366 5365->5366 5366->5082 5369 403566 5367->5369 5370 403578 5369->5370 5371 403604 5369->5371 5370->5094 5372 40357c 5371->5372 5375 40359b 5372->5375 5378 4035d0 5372->5378 5379 4035a0 5372->5379 5381 4035b6 5372->5381 5373 4035b1 5376 403198 4 API calls 5373->5376 5374 4035b8 5377 4031b8 4 API calls 5374->5377 5375->5379 5380 4035ec 5375->5380 5376->5381 5377->5381 5378->5381 5382 40357c 4 API calls 5378->5382 5379->5373 5379->5374 5380->5381 5383 403554 4 API calls 5380->5383 5381->5369 5382->5378 5383->5380 6674 401ab9 6675 401a96 6674->6675 6676 401aa9 RtlDeleteCriticalSection 6675->6676 6677 401a9f RtlLeaveCriticalSection 6675->6677 6677->6676

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 133 409bfb-409c08 VirtualProtect 132->133 133->121
                                                                          APIs
                                                                          • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                          • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                          • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                          • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$ProtectQuery$InfoSystem
                                                                          • String ID:
                                                                          • API String ID: 2441996862-0
                                                                          • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                          • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                          • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                          • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                          • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                          • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                          • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                          • API String ID: 3256987805-3653653586
                                                                          • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                          • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                          • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                          • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • SetLastError.KERNEL32 ref: 0040AAC1
                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020724A0), ref: 0040966C
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                          • SetWindowLongA.USER32(0001044A,000000FC,00409960), ref: 0040AB15
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                          • DestroyWindow.USER32(0001044A,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 3757039580-3001827809
                                                                          • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                          • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                          • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                          • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                          • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                          • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                          • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                          • SetWindowLongA.USER32(0001044A,000000FC,00409960), ref: 0040AB15
                                                                            • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                            • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724A0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                            • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724A0,00409AD8,00000000), ref: 00409A70
                                                                            • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                            • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                            • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724A0,00409AD8), ref: 00409AA4
                                                                          • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                          • DestroyWindow.USER32(0001044A,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                          • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                          • API String ID: 3586484885-3001827809
                                                                          • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                          • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                          • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                          • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724A0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724A0,00409AD8,00000000), ref: 00409A70
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                          • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020724A0,00409AD8), ref: 00409AA4
                                                                            • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020724A0), ref: 0040966C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                          • String ID: D
                                                                          • API String ID: 3356880605-2746444292
                                                                          • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                          • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                          • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                          • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 730355536-0
                                                                          • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                          • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                          • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                          • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: .tmp$y@
                                                                          • API String ID: 2030045667-2396523267
                                                                          • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                          • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                          • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                          • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: .tmp$y@
                                                                          • API String ID: 2030045667-2396523267
                                                                          • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                          • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                          • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                          • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: .tmp
                                                                          • API String ID: 1375471231-2986845003
                                                                          • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                          • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                          • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                          • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 360 407803-407819 353->360 362 407791-407792 353->362 354->360 358 407841-407843 355->358 356->354 361 40785b-40785c 358->361 360->361 371 40781b 360->371 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 385 407912-407917 363->385 386 4078ed-407910 363->386 381 407820-407823 364->381 382 407890-407893 364->382 370 4077b5 365->370 372 407743 365->372 366->370 377 4077b6-4077b7 370->377 378 4077f7-4077f8 370->378 379 40781e-40781f 371->379 373 407746-407747 372->373 374 4077b9 372->374 373->342 380 4077bb-4077cd 373->380 374->380 377->374 378->349 379->381 380->358 387 4077cf-4077d4 380->387 384 407898 381->384 388 407824 381->388 382->384 389 40789a 384->389 386->385 386->386 387->355 393 4077d6-4077de 387->393 388->389 391 407825 388->391 392 40789f 389->392 394 407896-407897 391->394 395 407826-40782d 391->395 397 4078a1 392->397 393->345 404 4077e0 393->404 394->384 395->397 398 40782f 395->398 402 4078a3 397->402 403 4078ac 397->403 400 407832-407833 398->400 401 4078a5-4078aa 398->401 400->355 400->379 405 4078ae-4078af 401->405 402->401 403->405 404->378 405->392 406 4078b1-4078bd 405->406 406->384 407 4078bf-4078c0 406->407
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                          • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                          • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                          • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 417 401ff1-401ff6 414->417 415->416 418 402038-40203c 416->418 419 4020cb-4020d1 416->419 422 40214f-402158 417->422 420 402041-402050 418->420 421 40203e 418->421 423 4020d3-4020e0 419->423 424 40211d-40211f call 401ee0 419->424 420->419 425 402052-402060 420->425 421->420 427 4020e2-4020ea 423->427 428 4020ef-40211b call 402f54 423->428 432 402124-40213b 424->432 430 402062-402066 425->430 431 40207c-402080 425->431 427->428 428->422 434 402068 430->434 435 40206b-40207a 430->435 437 402082 431->437 438 402085-4020a0 431->438 440 402147 432->440 441 40213d-402142 RtlLeaveCriticalSection 432->441 434->435 439 4020a2-4020c6 call 402f54 435->439 437->438 438->439 439->422 441->440
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                            • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                            • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                            • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                            • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 296031713-0
                                                                          • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                          • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                          • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                          • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                          • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                          • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                          • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                          • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                          • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                          • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                          • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                          APIs
                                                                          • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastRead
                                                                          • String ID:
                                                                          • API String ID: 1948546556-0
                                                                          • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                          • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                          • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                          • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                          • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                          • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                          • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                          • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                          • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                            • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                            • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID:
                                                                          • API String ID: 1658689577-0
                                                                          • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                          • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                          • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                          • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                          • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                          • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                          • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                          • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                          • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                          • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                          • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                          • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                          • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastWrite
                                                                          • String ID:
                                                                          • API String ID: 442123175-0
                                                                          • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                          • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                          • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                          • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                          • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                          • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                          • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,02088000,0040AA59,00000000), ref: 004076B3
                                                                            • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                          • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                          • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                          • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                          • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                          • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                          • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                          • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                          • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                          • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                          APIs
                                                                          • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CharPrev
                                                                          • String ID:
                                                                          • API String ID: 122130370-0
                                                                          • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                          • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                          • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                          • Instruction Fuzzy Hash:
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                          • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                          • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                          • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                          • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                          • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                          • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                          • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                          • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                          • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                          • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                          • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                          • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                          • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                          • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                          • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                          • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                          • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                          • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                          • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                          • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                          • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                          • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                          • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                          APIs
                                                                          • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: SystemTime
                                                                          • String ID:
                                                                          • API String ID: 2656138-0
                                                                          • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                          • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                          • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Version
                                                                          • String ID:
                                                                          • API String ID: 1889659487-0
                                                                          • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                          • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                          • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                          • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                          • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                          • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                          • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                          • API String ID: 4190037839-2401316094
                                                                          • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                          • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                          • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                          • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                          • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                          • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                            • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                            • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                          • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                          • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                          • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                          • LocalFree.KERNEL32(004DAB38,00000000,00401AB4), ref: 00401A1B
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,004DAB38,00000000,00401AB4), ref: 00401A3A
                                                                          • LocalFree.KERNEL32(004DBB38,?,00000000,00008000,004DAB38,00000000,00401AB4), ref: 00401A79
                                                                          • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                          • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID:
                                                                          • API String ID: 3782394904-0
                                                                          • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                          • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                          • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                          • ExitProcess.KERNEL32 ref: 00403DE5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000$9@
                                                                          • API String ID: 1220098344-1503883590
                                                                          • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                          • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                          • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                          • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                          • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                          • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                          • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CommandHandleLineModule
                                                                          • String ID: U1hd.@$%L
                                                                          • API String ID: 2123368496-90655549
                                                                          • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                          • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                          • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID: )q@
                                                                          • API String ID: 3660427363-2284170586
                                                                          • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                          • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                          • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                          • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                          Strings
                                                                          • Setup, xrefs: 00409CAD
                                                                          • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Message
                                                                          • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                          • API String ID: 2030045667-3271211647
                                                                          • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                          • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                          • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                          • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                          APIs
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                          • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                          • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.3208485974.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000001.00000002.3208459673.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208553473.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000001.00000002.3208591578.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                          • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                          • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                          • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                          Execution Graph

                                                                          Execution Coverage:16%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:4.6%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:85
                                                                          execution_graph 49969 40cd00 49970 40cd12 49969->49970 49971 40cd0d 49969->49971 49973 406f48 CloseHandle 49971->49973 49973->49970 49974 492848 49975 49287c 49974->49975 49976 49287e 49975->49976 49977 492892 49975->49977 50120 446f9c 18 API calls 49976->50120 49980 4928ce 49977->49980 49981 4928a1 49977->49981 49979 492887 Sleep 50040 4928c9 49979->50040 49986 49290a 49980->49986 49987 4928dd 49980->49987 50110 446ff8 49981->50110 49985 4928b0 49988 4928b8 FindWindowA 49985->49988 49992 492919 49986->49992 49993 492960 49986->49993 49989 446ff8 18 API calls 49987->49989 50114 447278 49988->50114 49991 4928ea 49989->49991 49995 4928f2 FindWindowA 49991->49995 50121 446f9c 18 API calls 49992->50121 49999 4929bc 49993->49999 50000 49296f 49993->50000 49997 447278 5 API calls 49995->49997 49996 492925 50122 446f9c 18 API calls 49996->50122 50053 492905 49997->50053 50007 492a18 49999->50007 50008 4929cb 49999->50008 50125 446f9c 18 API calls 50000->50125 50002 492932 50123 446f9c 18 API calls 50002->50123 50003 49297b 50126 446f9c 18 API calls 50003->50126 50006 49293f 50124 446f9c 18 API calls 50006->50124 50018 492a52 50007->50018 50019 492a27 50007->50019 50130 446f9c 18 API calls 50008->50130 50009 492988 50127 446f9c 18 API calls 50009->50127 50013 49294a SendMessageA 50017 447278 5 API calls 50013->50017 50014 4929d7 50131 446f9c 18 API calls 50014->50131 50016 492995 50128 446f9c 18 API calls 50016->50128 50017->50053 50027 492a61 50018->50027 50028 492aa0 50018->50028 50022 446ff8 18 API calls 50019->50022 50020 4929e4 50132 446f9c 18 API calls 50020->50132 50025 492a34 50022->50025 50024 4929a0 PostMessageA 50129 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50024->50129 50032 492a3c RegisterClipboardFormatA 50025->50032 50026 4929f1 50133 446f9c 18 API calls 50026->50133 50135 446f9c 18 API calls 50027->50135 50036 492aaf 50028->50036 50042 492af4 50028->50042 50033 447278 5 API calls 50032->50033 50033->50040 50034 4929fc SendNotifyMessageA 50134 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50034->50134 50035 492a6d 50136 446f9c 18 API calls 50035->50136 50138 446f9c 18 API calls 50036->50138 50160 403420 50040->50160 50041 492a7a 50137 446f9c 18 API calls 50041->50137 50047 492b48 50042->50047 50048 492b03 50042->50048 50043 492abb 50139 446f9c 18 API calls 50043->50139 50046 492a85 SendMessageA 50050 447278 5 API calls 50046->50050 50057 492baa 50047->50057 50058 492b57 50047->50058 50142 446f9c 18 API calls 50048->50142 50049 492ac8 50140 446f9c 18 API calls 50049->50140 50050->50053 50053->50040 50054 492b0f 50143 446f9c 18 API calls 50054->50143 50056 492ad3 PostMessageA 50141 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50056->50141 50065 492bb9 50057->50065 50066 492c31 50057->50066 50061 446ff8 18 API calls 50058->50061 50059 492b1c 50144 446f9c 18 API calls 50059->50144 50063 492b64 50061->50063 50146 42e394 SetErrorMode 50063->50146 50064 492b27 SendNotifyMessageA 50145 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50064->50145 50069 446ff8 18 API calls 50065->50069 50074 492c40 50066->50074 50075 492c66 50066->50075 50071 492bc8 50069->50071 50070 492b71 50072 492b87 GetLastError 50070->50072 50073 492b77 50070->50073 50149 446f9c 18 API calls 50071->50149 50076 447278 5 API calls 50072->50076 50077 447278 5 API calls 50073->50077 50154 446f9c 18 API calls 50074->50154 50084 492c98 50075->50084 50085 492c75 50075->50085 50078 492b85 50076->50078 50077->50078 50081 447278 5 API calls 50078->50081 50080 492c4a FreeLibrary 50155 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50080->50155 50081->50040 50093 492ca7 50084->50093 50099 492cdb 50084->50099 50089 446ff8 18 API calls 50085->50089 50086 492bdb GetProcAddress 50087 492c21 50086->50087 50088 492be7 50086->50088 50153 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50087->50153 50150 446f9c 18 API calls 50088->50150 50091 492c81 50089->50091 50097 492c89 CreateMutexA 50091->50097 50156 48ccc8 18 API calls 50093->50156 50094 492bf3 50151 446f9c 18 API calls 50094->50151 50097->50040 50098 492c00 50102 447278 5 API calls 50098->50102 50099->50040 50158 48ccc8 18 API calls 50099->50158 50101 492cb3 50103 492cc4 OemToCharBuffA 50101->50103 50104 492c11 50102->50104 50157 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50103->50157 50152 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50104->50152 50107 492cf6 50108 492d07 CharToOemBuffA 50107->50108 50159 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50108->50159 50111 447000 50110->50111 50164 436078 50111->50164 50113 44701f 50113->49985 50115 447280 50114->50115 50218 4363e0 VariantClear 50115->50218 50117 4472a3 50118 4472ba 50117->50118 50219 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50117->50219 50118->50040 50120->49979 50121->49996 50122->50002 50123->50006 50124->50013 50125->50003 50126->50009 50127->50016 50128->50024 50129->50053 50130->50014 50131->50020 50132->50026 50133->50034 50134->50040 50135->50035 50136->50041 50137->50046 50138->50043 50139->50049 50140->50056 50141->50053 50142->50054 50143->50059 50144->50064 50145->50040 50220 403738 50146->50220 50149->50086 50150->50094 50151->50098 50152->50053 50153->50053 50154->50080 50155->50040 50156->50101 50157->50040 50158->50107 50159->50040 50162 403426 50160->50162 50161 40344b 50162->50161 50163 402660 4 API calls 50162->50163 50163->50162 50165 436084 50164->50165 50175 4360a6 50164->50175 50165->50175 50184 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50165->50184 50166 436129 50193 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50166->50193 50168 436111 50188 403494 50168->50188 50169 436105 50169->50113 50170 4360f9 50179 403510 4 API calls 50170->50179 50171 4360ed 50185 403510 50171->50185 50172 43611d 50192 4040e8 18 API calls 50172->50192 50175->50166 50175->50168 50175->50169 50175->50170 50175->50171 50175->50172 50178 43613a 50178->50113 50183 436102 50179->50183 50181 436126 50181->50113 50183->50113 50184->50175 50194 4034e0 50185->50194 50189 403498 50188->50189 50190 4034ba 50189->50190 50191 402660 4 API calls 50189->50191 50190->50113 50191->50190 50192->50181 50193->50178 50199 4034bc 50194->50199 50196 4034f0 50204 403400 50196->50204 50200 4034c0 50199->50200 50201 4034dc 50199->50201 50208 402648 50200->50208 50201->50196 50205 403406 50204->50205 50206 40341f 50204->50206 50205->50206 50213 402660 50205->50213 50206->50113 50209 40264c 50208->50209 50211 402656 50208->50211 50209->50211 50212 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50209->50212 50211->50196 50212->50211 50214 402664 50213->50214 50215 40266e 50213->50215 50214->50215 50217 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50214->50217 50215->50206 50217->50215 50218->50117 50219->50118 50221 40373c LoadLibraryA 50220->50221 50221->50070 54087 498ba8 54145 403344 54087->54145 54089 498bb6 54148 4056a0 54089->54148 54091 498bbb 54151 40631c GetModuleHandleA GetProcAddress 54091->54151 54095 498bc5 54159 40994c 54095->54159 54427 4032fc 54145->54427 54147 403349 GetModuleHandleA GetCommandLineA 54147->54089 54150 4056db 54148->54150 54428 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54148->54428 54150->54091 54152 406338 54151->54152 54153 40633f GetProcAddress 54151->54153 54152->54153 54154 406355 GetProcAddress 54153->54154 54155 40634e 54153->54155 54156 406364 SetProcessDEPPolicy 54154->54156 54157 406368 54154->54157 54155->54154 54156->54157 54158 4063c4 6F0F1CD0 54157->54158 54158->54095 54429 409024 54159->54429 54427->54147 54428->54150 54430 408cbc 5 API calls 54429->54430 54431 409035 54430->54431 54432 4085dc GetSystemDefaultLCID 54431->54432 54435 408612 54432->54435 54433 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54433->54435 54434 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54434->54435 54435->54433 54435->54434 54436 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54435->54436 54440 408674 54435->54440 54436->54435 54437 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54437->54440 54438 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54438->54440 54439 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54439->54440 54440->54437 54440->54438 54440->54439 54441 4086f7 54440->54441 54442 403420 4 API calls 54441->54442 54443 408711 54442->54443 54444 408720 GetSystemDefaultLCID 54443->54444 54501 408568 GetLocaleInfoA 54444->54501 54447 403450 4 API calls 54448 408760 54447->54448 54449 408568 5 API calls 54448->54449 54450 408775 54449->54450 54451 408568 5 API calls 54450->54451 54452 408799 54451->54452 54507 4085b4 GetLocaleInfoA 54452->54507 54455 4085b4 GetLocaleInfoA 54456 4087c9 54455->54456 54457 408568 5 API calls 54456->54457 54458 4087e3 54457->54458 54459 4085b4 GetLocaleInfoA 54458->54459 54460 408800 54459->54460 54502 4085a1 54501->54502 54503 40858f 54501->54503 54505 403494 4 API calls 54502->54505 54504 4034e0 4 API calls 54503->54504 54506 40859f 54504->54506 54505->54506 54506->54447 54508 4085d0 54507->54508 54508->54455 55866 42f520 55867 42f52b 55866->55867 55868 42f52f NtdllDefWindowProc_A 55866->55868 55868->55867 50222 416b42 50223 416bea 50222->50223 50224 416b5a 50222->50224 50241 41531c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50223->50241 50226 416b74 SendMessageA 50224->50226 50227 416b68 50224->50227 50237 416bc8 50226->50237 50228 416b72 CallWindowProcA 50227->50228 50229 416b8e 50227->50229 50228->50237 50238 41a058 GetSysColor 50229->50238 50232 416b99 SetTextColor 50233 416bae 50232->50233 50239 41a058 GetSysColor 50233->50239 50235 416bb3 SetBkColor 50240 41a6e0 GetSysColor CreateBrushIndirect 50235->50240 50238->50232 50239->50235 50240->50237 50241->50237 55869 4358e0 55870 4358f5 55869->55870 55873 43590f 55870->55873 55875 4352c8 55870->55875 55882 435312 55875->55882 55885 4352f8 55875->55885 55876 403400 4 API calls 55877 435717 55876->55877 55877->55873 55888 435728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55877->55888 55878 446da4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55878->55885 55879 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55879->55885 55880 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55880->55885 55881 402648 4 API calls 55881->55885 55882->55876 55884 431ca0 4 API calls 55884->55885 55885->55878 55885->55879 55885->55880 55885->55881 55885->55882 55885->55884 55886 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55885->55886 55889 4343b0 55885->55889 55901 434b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55885->55901 55886->55885 55888->55873 55890 43446d 55889->55890 55891 4343dd 55889->55891 55920 434310 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55890->55920 55892 403494 4 API calls 55891->55892 55894 4343eb 55892->55894 55896 403778 4 API calls 55894->55896 55895 43445f 55897 403400 4 API calls 55895->55897 55899 43440c 55896->55899 55898 4344bd 55897->55898 55898->55885 55899->55895 55902 494944 55899->55902 55901->55885 55903 49497c 55902->55903 55904 494a14 55902->55904 55906 403494 4 API calls 55903->55906 55921 448930 55904->55921 55909 494987 55906->55909 55907 494997 55908 403400 4 API calls 55907->55908 55910 494a38 55908->55910 55909->55907 55911 4037b8 4 API calls 55909->55911 55912 403400 4 API calls 55910->55912 55914 4949b0 55911->55914 55913 494a40 55912->55913 55913->55899 55914->55907 55915 4037b8 4 API calls 55914->55915 55916 4949d3 55915->55916 55917 403778 4 API calls 55916->55917 55918 494a04 55917->55918 55919 403634 4 API calls 55918->55919 55919->55904 55920->55895 55922 448955 55921->55922 55923 448998 55921->55923 55924 403494 4 API calls 55922->55924 55926 4489ac 55923->55926 55933 44852c 55923->55933 55925 448960 55924->55925 55930 4037b8 4 API calls 55925->55930 55928 403400 4 API calls 55926->55928 55929 4489df 55928->55929 55929->55907 55931 44897c 55930->55931 55932 4037b8 4 API calls 55931->55932 55932->55923 55934 403494 4 API calls 55933->55934 55935 448562 55934->55935 55936 4037b8 4 API calls 55935->55936 55937 448574 55936->55937 55938 403778 4 API calls 55937->55938 55939 448595 55938->55939 55940 4037b8 4 API calls 55939->55940 55941 4485ad 55940->55941 55942 403778 4 API calls 55941->55942 55943 4485d8 55942->55943 55944 4037b8 4 API calls 55943->55944 55954 4485f0 55944->55954 55945 448628 55947 403420 4 API calls 55945->55947 55946 4486c3 55950 4486cb GetProcAddress 55946->55950 55951 448708 55947->55951 55948 44864b LoadLibraryExA 55948->55954 55949 44865d LoadLibraryA 55949->55954 55952 4486de 55950->55952 55951->55926 55952->55945 55953 403b80 4 API calls 55953->55954 55954->55945 55954->55946 55954->55948 55954->55949 55954->55953 55955 403450 4 API calls 55954->55955 55957 43da88 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55954->55957 55955->55954 55957->55954 50242 402584 50243 402598 50242->50243 50244 4025ab 50242->50244 50272 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50243->50272 50246 4025c2 RtlEnterCriticalSection 50244->50246 50247 4025cc 50244->50247 50246->50247 50258 4023b4 13 API calls 50247->50258 50248 40259d 50248->50244 50250 4025a1 50248->50250 50251 4025d9 50254 402635 50251->50254 50255 40262b RtlLeaveCriticalSection 50251->50255 50252 4025d5 50252->50251 50259 402088 50252->50259 50255->50254 50256 4025e5 50256->50251 50273 402210 9 API calls 50256->50273 50258->50252 50260 40209c 50259->50260 50261 4020af 50259->50261 50280 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50260->50280 50263 4020c6 RtlEnterCriticalSection 50261->50263 50266 4020d0 50261->50266 50263->50266 50264 4020a1 50264->50261 50265 4020a5 50264->50265 50267 402106 50265->50267 50266->50267 50274 401f94 50266->50274 50267->50256 50270 4021f1 RtlLeaveCriticalSection 50271 4021fb 50270->50271 50271->50256 50272->50248 50273->50251 50277 401fa4 50274->50277 50275 401fd0 50279 401ff4 50275->50279 50286 401db4 50275->50286 50277->50275 50277->50279 50281 401f0c 50277->50281 50279->50270 50279->50271 50280->50264 50290 40178c 50281->50290 50284 401f29 50284->50277 50287 401e02 50286->50287 50288 401dd2 50286->50288 50287->50288 50318 401d1c 50287->50318 50288->50279 50296 4017a8 50290->50296 50292 4017b2 50309 401678 VirtualAlloc 50292->50309 50294 40180f 50294->50284 50300 401e80 9 API calls 50294->50300 50296->50292 50296->50294 50298 401803 50296->50298 50301 4014e4 50296->50301 50310 4013e0 LocalAlloc 50296->50310 50297 4017be 50297->50294 50311 4015c0 VirtualFree 50298->50311 50300->50284 50302 4014f3 VirtualAlloc 50301->50302 50304 401520 50302->50304 50305 401543 50302->50305 50312 401398 50304->50312 50305->50296 50308 401530 VirtualFree 50308->50305 50309->50297 50310->50296 50311->50294 50315 401340 50312->50315 50316 40134c LocalAlloc 50315->50316 50317 40135e 50315->50317 50316->50317 50317->50305 50317->50308 50319 401d2e 50318->50319 50320 401d51 50319->50320 50321 401d63 50319->50321 50331 401940 50320->50331 50323 401940 3 API calls 50321->50323 50324 401d61 50323->50324 50325 401d79 50324->50325 50341 401bf8 9 API calls 50324->50341 50325->50288 50327 401d88 50328 401da2 50327->50328 50342 401c4c 9 API calls 50327->50342 50343 401454 LocalAlloc 50328->50343 50332 401966 50331->50332 50340 4019bf 50331->50340 50344 40170c 50332->50344 50336 401983 50337 40199a 50336->50337 50349 4015c0 VirtualFree 50336->50349 50337->50340 50350 401454 LocalAlloc 50337->50350 50340->50324 50341->50327 50342->50328 50343->50325 50346 401743 50344->50346 50345 401783 50348 4013e0 LocalAlloc 50345->50348 50346->50345 50347 40175d VirtualFree 50346->50347 50347->50346 50348->50336 50349->50337 50350->50340 50351 416644 50352 416651 50351->50352 50353 4166ab 50351->50353 50358 416550 CreateWindowExA 50352->50358 50354 416658 SetPropA SetPropA 50354->50353 50355 41668b 50354->50355 50356 41669e SetWindowPos 50355->50356 50356->50353 50358->50354 55958 4222e4 55959 4222f3 55958->55959 55964 421274 55959->55964 55962 422313 55965 4212e3 55964->55965 55967 421283 55964->55967 55969 4212f4 55965->55969 55989 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55965->55989 55967->55965 55988 408d2c 19 API calls 55967->55988 55968 421322 55975 421395 55968->55975 55979 42133d 55968->55979 55969->55968 55970 4213ba 55969->55970 55972 4213ce SetMenu 55970->55972 55985 421393 55970->55985 55971 4213e6 55992 4211bc 10 API calls 55971->55992 55972->55985 55977 4213a9 55975->55977 55975->55985 55976 4213ed 55976->55962 55987 4221e8 10 API calls 55976->55987 55980 4213b2 SetMenu 55977->55980 55981 421360 GetMenu 55979->55981 55979->55985 55980->55985 55982 421383 55981->55982 55983 42136a 55981->55983 55990 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55982->55990 55986 42137d SetMenu 55983->55986 55985->55971 55991 421e2c 11 API calls 55985->55991 55986->55982 55987->55962 55988->55967 55989->55969 55990->55985 55991->55971 55992->55976 55993 44b4a8 55994 44b4b6 55993->55994 55996 44b4d5 55993->55996 55995 44b38c 11 API calls 55994->55995 55994->55996 55995->55996 55997 448728 55998 448756 55997->55998 55999 44875d 55997->55999 56002 403400 4 API calls 55998->56002 56000 448771 55999->56000 56003 44852c 7 API calls 55999->56003 56000->55998 56001 403494 4 API calls 56000->56001 56004 44878a 56001->56004 56005 448907 56002->56005 56003->56000 56006 4037b8 4 API calls 56004->56006 56007 4487a6 56006->56007 56008 4037b8 4 API calls 56007->56008 56009 4487c2 56008->56009 56009->55998 56010 4487d6 56009->56010 56011 4037b8 4 API calls 56010->56011 56012 4487f0 56011->56012 56013 431bd0 4 API calls 56012->56013 56014 448812 56013->56014 56015 448832 56014->56015 56016 431ca0 4 API calls 56014->56016 56017 448870 56015->56017 56040 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56015->56040 56016->56014 56018 448888 56017->56018 56041 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56017->56041 56029 442334 56018->56029 56021 4488bc GetLastError 56042 4484c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56021->56042 56024 4488cb 56043 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56024->56043 56026 4488e0 56044 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56026->56044 56028 4488e8 56030 443312 56029->56030 56031 44236d 56029->56031 56033 403400 4 API calls 56030->56033 56032 403400 4 API calls 56031->56032 56034 442375 56032->56034 56035 443327 56033->56035 56036 431bd0 4 API calls 56034->56036 56035->56021 56037 442381 56036->56037 56038 443302 56037->56038 56045 441a0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56037->56045 56038->56021 56040->56015 56041->56018 56042->56024 56043->56026 56044->56028 56045->56037 56046 4165ec DestroyWindow 56047 42e3ef SetErrorMode 50359 441394 50360 44139d 50359->50360 50361 4413ab WriteFile 50359->50361 50360->50361 50362 4413b6 50361->50362 56048 491bf8 56049 491c32 56048->56049 56050 491c3e 56049->56050 56051 491c34 56049->56051 56053 491c4d 56050->56053 56054 491c76 56050->56054 56244 409098 MessageBeep 56051->56244 56056 446ff8 18 API calls 56053->56056 56061 491cae 56054->56061 56062 491c85 56054->56062 56055 403420 4 API calls 56057 49228a 56055->56057 56058 491c5a 56056->56058 56059 403400 4 API calls 56057->56059 56245 406bb0 56058->56245 56063 492292 56059->56063 56068 491cbd 56061->56068 56069 491ce6 56061->56069 56065 446ff8 18 API calls 56062->56065 56067 491c92 56065->56067 56253 406c00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56067->56253 56071 446ff8 18 API calls 56068->56071 56076 491d0e 56069->56076 56077 491cf5 56069->56077 56074 491cca 56071->56074 56072 491c9d 56254 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56072->56254 56255 406c34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56074->56255 56083 491d1d 56076->56083 56084 491d42 56076->56084 56257 407280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 56077->56257 56079 491cd5 56256 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56079->56256 56080 491cfd 56258 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56080->56258 56085 446ff8 18 API calls 56083->56085 56087 491d7a 56084->56087 56088 491d51 56084->56088 56086 491d2a 56085->56086 56089 4072a8 SetCurrentDirectoryA 56086->56089 56095 491d89 56087->56095 56096 491db2 56087->56096 56090 446ff8 18 API calls 56088->56090 56091 491d32 56089->56091 56092 491d5e 56090->56092 56259 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56091->56259 56094 42c804 5 API calls 56092->56094 56097 491d69 56094->56097 56098 446ff8 18 API calls 56095->56098 56101 491dfe 56096->56101 56102 491dc1 56096->56102 56260 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56097->56260 56100 491d96 56098->56100 56261 4071f8 8 API calls 56100->56261 56108 491e0d 56101->56108 56109 491e36 56101->56109 56104 446ff8 18 API calls 56102->56104 56107 491dd0 56104->56107 56105 491da1 56262 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56105->56262 56110 446ff8 18 API calls 56107->56110 56111 446ff8 18 API calls 56108->56111 56116 491e6e 56109->56116 56117 491e45 56109->56117 56112 491de1 56110->56112 56113 491e1a 56111->56113 56263 4918fc 8 API calls 56112->56263 56115 42c8a4 5 API calls 56113->56115 56119 491e25 56115->56119 56124 491e7d 56116->56124 56125 491ea6 56116->56125 56120 446ff8 18 API calls 56117->56120 56118 491ded 56264 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56118->56264 56265 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56119->56265 56123 491e52 56120->56123 56126 42c8cc 5 API calls 56123->56126 56127 446ff8 18 API calls 56124->56127 56132 491ede 56125->56132 56133 491eb5 56125->56133 56128 491e5d 56126->56128 56130 491e8a 56127->56130 56266 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56128->56266 56267 42c8fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56130->56267 56139 491eed 56132->56139 56140 491f16 56132->56140 56134 446ff8 18 API calls 56133->56134 56136 491ec2 56134->56136 56135 491e95 56268 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56135->56268 56138 42c92c 5 API calls 56136->56138 56141 491ecd 56138->56141 56142 446ff8 18 API calls 56139->56142 56145 491f62 56140->56145 56146 491f25 56140->56146 56269 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56141->56269 56144 491efa 56142->56144 56147 42c954 5 API calls 56144->56147 56153 491f71 56145->56153 56154 491fb4 56145->56154 56148 446ff8 18 API calls 56146->56148 56149 491f05 56147->56149 56150 491f34 56148->56150 56270 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56149->56270 56152 446ff8 18 API calls 56150->56152 56156 491f45 56152->56156 56155 446ff8 18 API calls 56153->56155 56161 491fc3 56154->56161 56162 492027 56154->56162 56157 491f84 56155->56157 56271 42c4f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56156->56271 56159 446ff8 18 API calls 56157->56159 56163 491f95 56159->56163 56160 491f51 56272 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56160->56272 56165 446ff8 18 API calls 56161->56165 56169 492066 56162->56169 56170 492036 56162->56170 56273 491af4 12 API calls 56163->56273 56167 491fd0 56165->56167 56236 42c608 7 API calls 56167->56236 56168 491fa3 56274 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56168->56274 56180 4920a5 56169->56180 56181 492075 56169->56181 56173 446ff8 18 API calls 56170->56173 56177 492043 56173->56177 56174 491fde 56175 491fe2 56174->56175 56176 492017 56174->56176 56179 446ff8 18 API calls 56175->56179 56276 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56176->56276 56277 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56177->56277 56184 491ff1 56179->56184 56189 4920e4 56180->56189 56190 4920b4 56180->56190 56185 446ff8 18 API calls 56181->56185 56183 492050 56278 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56183->56278 56237 452c80 56184->56237 56188 492082 56185->56188 56193 452770 5 API calls 56188->56193 56200 49212c 56189->56200 56201 4920f3 56189->56201 56194 446ff8 18 API calls 56190->56194 56191 492061 56217 491c39 56191->56217 56192 492001 56275 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56192->56275 56196 49208f 56193->56196 56197 4920c1 56194->56197 56279 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56196->56279 56280 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56197->56280 56206 49213b 56200->56206 56207 492174 56200->56207 56203 446ff8 18 API calls 56201->56203 56202 4920ce 56281 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56202->56281 56205 492102 56203->56205 56208 446ff8 18 API calls 56205->56208 56209 446ff8 18 API calls 56206->56209 56212 492187 56207->56212 56219 49223d 56207->56219 56210 492113 56208->56210 56211 49214a 56209->56211 56214 447278 5 API calls 56210->56214 56213 446ff8 18 API calls 56211->56213 56215 446ff8 18 API calls 56212->56215 56216 49215b 56213->56216 56214->56217 56218 4921b4 56215->56218 56223 447278 5 API calls 56216->56223 56217->56055 56220 446ff8 18 API calls 56218->56220 56219->56217 56285 446f9c 18 API calls 56219->56285 56221 4921cb 56220->56221 56282 407ddc 7 API calls 56221->56282 56223->56217 56224 492256 56225 42e8c8 5 API calls 56224->56225 56226 49225e 56225->56226 56286 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56226->56286 56229 4921ed 56230 446ff8 18 API calls 56229->56230 56231 492201 56230->56231 56283 408508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56231->56283 56233 49220c 56284 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56233->56284 56235 492218 56236->56174 56238 452724 2 API calls 56237->56238 56240 452c99 56238->56240 56239 452c9d 56239->56192 56240->56239 56241 452cc1 MoveFileA GetLastError 56240->56241 56242 452760 Wow64RevertWow64FsRedirection 56241->56242 56243 452ce7 56242->56243 56243->56192 56244->56217 56246 406bbf 56245->56246 56247 406bd8 56246->56247 56249 406be1 56246->56249 56248 403400 4 API calls 56247->56248 56250 406bdf 56248->56250 56251 403778 4 API calls 56249->56251 56252 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56250->56252 56251->56250 56252->56217 56253->56072 56254->56217 56255->56079 56256->56217 56257->56080 56258->56217 56259->56217 56260->56217 56261->56105 56262->56217 56263->56118 56264->56217 56265->56217 56266->56217 56267->56135 56268->56217 56269->56217 56270->56217 56271->56160 56272->56217 56273->56168 56274->56217 56275->56217 56276->56217 56277->56183 56278->56191 56279->56217 56280->56202 56281->56217 56282->56229 56283->56233 56284->56235 56285->56224 56286->56217 56287 40cc34 56290 406f10 WriteFile 56287->56290 56291 406f2d 56290->56291 50363 48095d 50368 451004 50363->50368 50365 480971 50378 47fa0c 50365->50378 50367 480995 50369 451011 50368->50369 50371 451065 50369->50371 50387 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50369->50387 50384 450e88 50371->50384 50375 45108d 50376 4510d0 50375->50376 50389 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50375->50389 50376->50365 50394 40b3c8 50378->50394 50380 47fa79 50380->50367 50383 47fa2e 50383->50380 50398 4069dc 50383->50398 50401 476994 50383->50401 50390 450e34 50384->50390 50387->50371 50388 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50388->50375 50389->50376 50391 450e46 50390->50391 50392 450e57 50390->50392 50393 450e4b InterlockedExchange 50391->50393 50392->50375 50392->50388 50393->50392 50395 40b3d3 50394->50395 50396 40b3f3 50395->50396 50417 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50395->50417 50396->50383 50399 402648 4 API calls 50398->50399 50400 4069e7 50399->50400 50400->50383 50412 4769c5 50401->50412 50415 476a0e 50401->50415 50402 476a59 50418 451294 50402->50418 50404 476a70 50406 403420 4 API calls 50404->50406 50408 476a8a 50406->50408 50407 4038a4 4 API calls 50407->50415 50408->50383 50411 403450 4 API calls 50411->50415 50414 451294 21 API calls 50412->50414 50412->50415 50424 4038a4 50412->50424 50433 403744 50412->50433 50437 403450 50412->50437 50413 403744 4 API calls 50413->50415 50414->50412 50415->50402 50415->50407 50415->50411 50415->50413 50416 451294 21 API calls 50415->50416 50416->50415 50417->50396 50419 4512af 50418->50419 50423 4512a4 50418->50423 50443 451238 21 API calls 50419->50443 50421 4512ba 50421->50423 50444 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50421->50444 50423->50404 50426 4038b1 50424->50426 50432 4038e1 50424->50432 50425 403400 4 API calls 50428 4038cb 50425->50428 50427 4038da 50426->50427 50429 4038bd 50426->50429 50430 4034bc 4 API calls 50427->50430 50428->50412 50445 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50429->50445 50430->50432 50432->50425 50434 40374a 50433->50434 50436 40375b 50433->50436 50435 4034bc 4 API calls 50434->50435 50434->50436 50435->50436 50436->50412 50438 403454 50437->50438 50439 403464 50437->50439 50438->50439 50441 4034bc 4 API calls 50438->50441 50440 403490 50439->50440 50442 402660 4 API calls 50439->50442 50440->50412 50441->50439 50442->50440 50443->50421 50444->50423 50445->50428 50446 41ee54 50447 41ee63 IsWindowVisible 50446->50447 50448 41ee99 50446->50448 50447->50448 50449 41ee6d IsWindowEnabled 50447->50449 50449->50448 50450 41ee77 50449->50450 50451 402648 4 API calls 50450->50451 50452 41ee81 EnableWindow 50451->50452 50452->50448 50453 46bb10 50454 46bb44 50453->50454 50485 46bfad 50453->50485 50458 46bbdc 50454->50458 50459 46bbba 50454->50459 50460 46bbcb 50454->50460 50461 46bb98 50454->50461 50462 46bba9 50454->50462 50471 46bb80 50454->50471 50455 403400 4 API calls 50457 46bfec 50455->50457 50466 403400 4 API calls 50457->50466 50776 46baa0 45 API calls 50458->50776 50509 46b6d0 50459->50509 50775 46b890 67 API calls 50460->50775 50773 46b420 47 API calls 50461->50773 50774 46b588 42 API calls 50462->50774 50470 46bff4 50466->50470 50469 46bb9e 50469->50471 50469->50485 50471->50485 50544 468c74 50471->50544 50472 46bc18 50472->50485 50488 46bc5b 50472->50488 50777 494da0 50472->50777 50475 46bd7e 50796 48358c 123 API calls 50475->50796 50476 414ae8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50476->50488 50479 46bd99 50479->50485 50480 42cbc0 6 API calls 50480->50488 50481 46af68 23 API calls 50481->50488 50483 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50483->50488 50485->50455 50486 46bdd7 50562 469f1c 50486->50562 50487 46af68 23 API calls 50487->50485 50488->50475 50488->50476 50488->50480 50488->50481 50488->50483 50488->50485 50488->50486 50505 46be9f 50488->50505 50547 468bb0 50488->50547 50555 46acd4 50488->50555 50700 483084 50488->50700 50813 46b1dc 19 API calls 50488->50813 50490 46be3d 50491 403450 4 API calls 50490->50491 50492 46be4d 50491->50492 50493 46bea9 50492->50493 50494 46be59 50492->50494 50499 46bf6b 50493->50499 50623 46af68 50493->50623 50797 457f1c 50494->50797 50498 457f1c 24 API calls 50498->50505 50505->50487 50814 46c424 50509->50814 50512 46b852 50514 403420 4 API calls 50512->50514 50516 46b86c 50514->50516 50515 46b71e 50517 46b83e 50515->50517 50821 455f84 13 API calls 50515->50821 50518 403400 4 API calls 50516->50518 50517->50512 50520 403450 4 API calls 50517->50520 50521 46b874 50518->50521 50520->50512 50522 403400 4 API calls 50521->50522 50523 46b87c 50522->50523 50523->50471 50524 46b801 50524->50512 50524->50517 50529 42cd48 7 API calls 50524->50529 50526 46b7a1 50526->50512 50526->50524 50831 42cd48 50526->50831 50528 46b73c 50528->50526 50822 466600 50528->50822 50531 46b817 50529->50531 50531->50517 50536 451458 4 API calls 50531->50536 50535 466600 19 API calls 50539 46b82e 50536->50539 50838 47efd0 42 API calls 50539->50838 50545 468bb0 19 API calls 50544->50545 50546 468c83 50545->50546 50546->50472 50548 468bdf 50547->50548 50549 4078f4 19 API calls 50548->50549 50552 468c20 50548->50552 50550 468c18 50549->50550 51091 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50550->51091 50553 403400 4 API calls 50552->50553 50554 468c38 50553->50554 50554->50488 50556 46ace5 50555->50556 50557 46ace0 50555->50557 51177 469a80 46 API calls 50556->51177 50559 46ace3 50557->50559 51092 46a740 50557->51092 50559->50488 50560 46aced 50560->50488 50563 403400 4 API calls 50562->50563 50564 469f4a 50563->50564 51554 47dd00 50564->51554 50566 469fad 50567 469fb1 50566->50567 50568 469fca 50566->50568 51561 466800 50567->51561 50570 469fbb 50568->50570 51564 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50568->51564 50572 46a25e 50570->50572 50575 46a154 50570->50575 50576 46a0e9 50570->50576 50573 403420 4 API calls 50572->50573 50578 46a288 50573->50578 50574 469fe6 50574->50570 50579 469fee 50574->50579 50577 403494 4 API calls 50575->50577 50580 403494 4 API calls 50576->50580 50582 46a161 50577->50582 50578->50490 50583 46af68 23 API calls 50579->50583 50581 46a0f6 50580->50581 50584 40357c 4 API calls 50581->50584 50585 40357c 4 API calls 50582->50585 50592 469ffb 50583->50592 50586 46a103 50584->50586 50587 46a16e 50585->50587 50588 40357c 4 API calls 50586->50588 50589 40357c 4 API calls 50587->50589 50590 46a110 50588->50590 50591 46a17b 50589->50591 50593 40357c 4 API calls 50590->50593 50594 40357c 4 API calls 50591->50594 50597 46a024 SetActiveWindow 50592->50597 50598 46a03c 50592->50598 50595 46a11d 50593->50595 50596 46a188 50594->50596 50599 466800 20 API calls 50595->50599 50600 40357c 4 API calls 50596->50600 50597->50598 51565 42f560 50598->51565 50601 46a12b 50599->50601 50602 46a196 50600->50602 50604 40357c 4 API calls 50601->50604 50605 414b18 4 API calls 50602->50605 50607 46a134 50604->50607 50608 46a152 50605->50608 50610 40357c 4 API calls 50607->50610 51582 466b38 50608->51582 50613 46a141 50610->50613 50612 46a08d 50615 46ade4 21 API calls 50612->50615 50614 414b18 4 API calls 50613->50614 50614->50608 50616 46a0bf 50615->50616 50616->50490 50624 468c74 19 API calls 50623->50624 50625 46af80 50624->50625 50626 46afa2 50625->50626 50627 4652cc 7 API calls 50625->50627 51778 4652cc 50626->51778 50627->50626 50631 46afba 50632 46ade4 21 API calls 50631->50632 50633 46aff2 50632->50633 50634 414b18 4 API calls 50633->50634 50635 46b006 50634->50635 50636 46b012 50635->50636 50637 46b03c 50635->50637 50638 414b18 4 API calls 50636->50638 50640 46b05b 50637->50640 50641 46b085 50637->50641 50639 46b026 50638->50639 50642 414b18 4 API calls 50639->50642 50643 414b18 4 API calls 50640->50643 50644 414b18 4 API calls 50641->50644 50646 46b03a 50642->50646 50647 46b06f 50643->50647 50645 46b099 50644->50645 50648 414b18 4 API calls 50645->50648 50649 414b18 4 API calls 50647->50649 50648->50646 50649->50646 50701 46c424 48 API calls 50700->50701 50702 4830c7 50701->50702 50703 4830d0 50702->50703 52065 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50702->52065 50705 414ae8 4 API calls 50703->50705 50706 4830e0 50705->50706 50707 403450 4 API calls 50706->50707 50708 4830ed 50707->50708 51867 46c77c 50708->51867 50711 4830fd 50713 414ae8 4 API calls 50711->50713 50714 48310d 50713->50714 50715 403450 4 API calls 50714->50715 50716 48311a 50715->50716 50717 469868 SendMessageA 50716->50717 50718 483133 50717->50718 50719 483184 50718->50719 52067 479e18 23 API calls 50718->52067 51896 4241dc IsIconic 50719->51896 50723 48319f SetActiveWindow 50724 4831b4 50723->50724 51904 4824b4 50724->51904 50773->50469 50774->50471 50775->50471 50776->50471 53720 43d9c8 50777->53720 50780 494dcc 53725 431bd0 50780->53725 50781 494e52 50782 494e61 50781->50782 53758 4945c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50781->53758 50782->50488 50791 494e16 53756 49465c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50791->53756 50793 494e2a 53757 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50793->53757 50795 494e4a 50795->50488 50796->50479 50798 457f41 50797->50798 50799 457f61 50798->50799 50800 4078f4 19 API calls 50798->50800 50801 403400 4 API calls 50799->50801 50802 457f59 50800->50802 50803 457f76 50801->50803 50804 457d10 24 API calls 50802->50804 50803->50498 50804->50799 50813->50488 50839 46c4bc 50814->50839 50817 414ae8 50818 414af6 50817->50818 50819 4034e0 4 API calls 50818->50819 50820 414b03 50819->50820 50820->50515 50821->50528 50823 46661a 50822->50823 51042 4078f4 50823->51042 51085 42cccc 50831->51085 50834 451458 50835 451428 4 API calls 50834->50835 50836 451474 50835->50836 50837 47efd0 42 API calls 50836->50837 50837->50524 50838->50517 50840 414ae8 4 API calls 50839->50840 50841 46c4f0 50840->50841 50900 466898 50841->50900 50845 46c502 50846 46c511 50845->50846 50849 46c52a 50845->50849 50969 47efd0 42 API calls 50846->50969 50848 403420 4 API calls 50851 46b702 50848->50851 50850 46c571 50849->50850 50852 46c558 50849->50852 50853 46c5d6 50850->50853 50858 46c575 50850->50858 50851->50512 50851->50817 50970 47efd0 42 API calls 50852->50970 50972 42cb4c CharNextA 50853->50972 50856 46c5e5 50857 46c5e9 50856->50857 50862 46c602 50856->50862 50973 47efd0 42 API calls 50857->50973 50860 46c5bd 50858->50860 50858->50862 50971 47efd0 42 API calls 50860->50971 50861 46c626 50974 47efd0 42 API calls 50861->50974 50862->50861 50914 466a08 50862->50914 50867 46c525 50867->50848 50870 46c63f 50922 403778 50870->50922 50875 46c666 50975 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50875->50975 50876 46c697 50933 42c8cc 50876->50933 50879 46c679 50881 451458 4 API calls 50879->50881 50883 46c686 50881->50883 50976 47efd0 42 API calls 50883->50976 50905 4668b2 50900->50905 50901 406bb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50901->50905 50903 42cbc0 6 API calls 50903->50905 50904 403450 4 API calls 50904->50905 50905->50901 50905->50903 50905->50904 50906 4668fb 50905->50906 50979 42caac 50905->50979 50907 403420 4 API calls 50906->50907 50908 466915 50907->50908 50909 414b18 50908->50909 50910 414ae8 4 API calls 50909->50910 50911 414b3c 50910->50911 50912 403400 4 API calls 50911->50912 50913 414b6d 50912->50913 50913->50845 50915 466a12 50914->50915 50916 466a25 50915->50916 50995 42cb3c CharNextA 50915->50995 50916->50861 50918 466a38 50916->50918 50919 466a42 50918->50919 50920 466a6f 50919->50920 50996 42cb3c CharNextA 50919->50996 50920->50861 50920->50870 50923 4037aa 50922->50923 50924 40377d 50922->50924 50925 403400 4 API calls 50923->50925 50924->50923 50926 403791 50924->50926 50928 4037a0 50925->50928 50927 4034e0 4 API calls 50926->50927 50927->50928 50929 42c99c 50928->50929 50930 42c9b2 50929->50930 50931 42c9f5 50929->50931 50930->50931 50997 42cb3c CharNextA 50930->50997 50931->50875 50931->50876 50998 42c674 50933->50998 50969->50867 50970->50867 50971->50867 50972->50856 50973->50867 50974->50867 50975->50879 50976->50867 50980 403494 4 API calls 50979->50980 50981 42cabc 50980->50981 50982 403744 4 API calls 50981->50982 50986 42caf2 50981->50986 50988 42c444 IsDBCSLeadByte 50981->50988 50982->50981 50984 42cb36 50984->50905 50986->50984 50989 4037b8 50986->50989 50994 42c444 IsDBCSLeadByte 50986->50994 50988->50981 50990 403744 4 API calls 50989->50990 50992 4037c6 50990->50992 50991 4037fc 50991->50986 50992->50991 50993 4038a4 4 API calls 50992->50993 50993->50991 50994->50986 50995->50915 50996->50919 50997->50930 51001 42c67c 50998->51001 51004 42c68d 51001->51004 51002 42c6f1 51005 42c6ec 51002->51005 51009 42c444 IsDBCSLeadByte 51002->51009 51004->51002 51007 42c6ab 51004->51007 51007->51005 51008 42c444 IsDBCSLeadByte 51007->51008 51008->51007 51009->51005 51045 407908 51042->51045 51046 407925 51045->51046 51053 4075b8 51046->51053 51049 407951 51051 4034e0 4 API calls 51049->51051 51052 407903 51051->51052 51052->50535 51056 4075d3 51053->51056 51054 4075e5 51054->51049 51058 4069a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51054->51058 51056->51054 51059 4076da 19 API calls 51056->51059 51060 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51056->51060 51058->51049 51059->51056 51060->51056 51086 42cbc0 6 API calls 51085->51086 51087 42ccee 51086->51087 51088 42ccf6 GetFileAttributesA 51087->51088 51089 403400 4 API calls 51088->51089 51090 42cd13 51089->51090 51090->50524 51090->50834 51091->50552 51094 46a787 51092->51094 51093 46abff 51096 46ac1a 51093->51096 51097 46ac4b 51093->51097 51094->51093 51095 46a842 51094->51095 51098 403494 4 API calls 51094->51098 51101 46a863 51095->51101 51102 46a8a4 51095->51102 51099 403494 4 API calls 51096->51099 51100 403494 4 API calls 51097->51100 51104 46a7c6 51098->51104 51105 46ac28 51099->51105 51106 46ac59 51100->51106 51103 403494 4 API calls 51101->51103 51110 403400 4 API calls 51102->51110 51107 46a871 51103->51107 51108 414ae8 4 API calls 51104->51108 51204 46915c 12 API calls 51105->51204 51205 46915c 12 API calls 51106->51205 51112 414ae8 4 API calls 51107->51112 51113 46a7e7 51108->51113 51114 46a8a2 51110->51114 51116 46a892 51112->51116 51178 403634 51113->51178 51134 46a988 51114->51134 51184 469868 51114->51184 51115 46ac36 51118 403400 4 API calls 51115->51118 51119 403634 4 API calls 51116->51119 51122 46ac7c 51118->51122 51119->51114 51127 403400 4 API calls 51122->51127 51123 46aa10 51125 403400 4 API calls 51123->51125 51130 46aa0e 51125->51130 51126 46a8c4 51131 46a902 51126->51131 51132 46a8ca 51126->51132 51128 46ac84 51127->51128 51133 403420 4 API calls 51128->51133 51199 469ca4 43 API calls 51130->51199 51135 403400 4 API calls 51131->51135 51136 403494 4 API calls 51132->51136 51138 46ac91 51133->51138 51134->51123 51139 46a9cf 51134->51139 51140 46a900 51135->51140 51137 46a8d8 51136->51137 51190 47c26c 51137->51190 51138->50559 51144 403494 4 API calls 51139->51144 51193 469b5c 51140->51193 51148 46a9dd 51144->51148 51146 46aa39 51154 46aa44 51146->51154 51155 46aa9a 51146->51155 51147 46a8f0 51150 403634 4 API calls 51147->51150 51151 414ae8 4 API calls 51148->51151 51150->51140 51153 46a9fe 51151->51153 51156 403634 4 API calls 51153->51156 51158 403494 4 API calls 51154->51158 51157 403400 4 API calls 51155->51157 51156->51130 51164 46aaa2 51157->51164 51166 46aa52 51158->51166 51159 46a929 51160 46a934 51159->51160 51161 46a98a 51159->51161 51163 403494 4 API calls 51160->51163 51162 403400 4 API calls 51161->51162 51162->51134 51168 46a942 51163->51168 51176 46ab4b 51164->51176 51200 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51164->51200 51166->51164 51170 403634 4 API calls 51166->51170 51172 46aa98 51166->51172 51167 46aac5 51167->51176 51201 494f3c 18 API calls 51167->51201 51168->51134 51171 403634 4 API calls 51168->51171 51170->51166 51171->51168 51172->51164 51174 46abec 51203 429144 SendMessageA SendMessageA 51174->51203 51202 4290f4 SendMessageA 51176->51202 51177->50560 51179 40363c 51178->51179 51180 4034bc 4 API calls 51179->51180 51181 40364f 51180->51181 51182 403450 4 API calls 51181->51182 51183 403677 51182->51183 51206 42a040 SendMessageA 51184->51206 51186 469877 51187 469897 51186->51187 51207 42a040 SendMessageA 51186->51207 51187->51126 51189 469887 51189->51126 51208 47c2b4 51190->51208 51197 469b89 51193->51197 51194 469beb 51195 403400 4 API calls 51194->51195 51196 469c00 51195->51196 51196->51159 51197->51194 51553 469ae0 43 API calls 51197->51553 51199->51146 51200->51167 51201->51176 51202->51174 51203->51093 51204->51115 51205->51115 51206->51186 51207->51189 51209 403494 4 API calls 51208->51209 51216 47c2e7 51209->51216 51210 47c3f9 51211 403420 4 API calls 51210->51211 51212 47c289 51211->51212 51212->51147 51214 403778 4 API calls 51214->51216 51216->51210 51216->51214 51219 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51216->51219 51220 47b100 51216->51220 51464 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51216->51464 51465 403800 51216->51465 51469 42c97c CharPrevA 51216->51469 51219->51216 51221 47b152 51220->51221 51222 47b130 51220->51222 51223 47b172 51221->51223 51224 47b160 51221->51224 51222->51221 51474 47a030 19 API calls 51222->51474 51227 47b1d5 51223->51227 51228 47b180 51223->51228 51225 403494 4 API calls 51224->51225 51279 47b16d 51225->51279 51237 47b1f6 51227->51237 51238 47b1e3 51227->51238 51230 47b1af 51228->51230 51231 47b189 51228->51231 51229 403400 4 API calls 51232 47baf8 51229->51232 51234 47b1c2 51230->51234 51476 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51230->51476 51233 47b19c 51231->51233 51475 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51231->51475 51236 403400 4 API calls 51232->51236 51240 403494 4 API calls 51233->51240 51235 403494 4 API calls 51234->51235 51235->51279 51242 47bb00 51236->51242 51244 47b217 51237->51244 51245 47b204 51237->51245 51243 403494 4 API calls 51238->51243 51240->51279 51242->51216 51243->51279 51247 47b267 51244->51247 51248 47b225 51244->51248 51246 403494 4 API calls 51245->51246 51246->51279 51255 47b275 51247->51255 51256 47b288 51247->51256 51249 47b241 51248->51249 51250 47b22e 51248->51250 51252 47b254 51249->51252 51477 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51249->51477 51251 403494 4 API calls 51250->51251 51251->51279 51254 403494 4 API calls 51252->51254 51254->51279 51257 403494 4 API calls 51255->51257 51258 47b296 51256->51258 51259 47b2a9 51256->51259 51257->51279 51260 403494 4 API calls 51258->51260 51261 47b2b7 51259->51261 51262 47b2ca 51259->51262 51260->51279 51263 403494 4 API calls 51261->51263 51264 47b2eb 51262->51264 51265 47b2d8 51262->51265 51263->51279 51267 47b327 51264->51267 51268 47b2f9 51264->51268 51266 403494 4 API calls 51265->51266 51266->51279 51273 47b335 51267->51273 51278 47b364 51267->51278 51269 47b315 51268->51269 51270 47b302 51268->51270 51272 47c26c 43 API calls 51269->51272 51271 403494 4 API calls 51270->51271 51271->51279 51272->51279 51274 47b351 51273->51274 51275 47b33e 51273->51275 51277 403494 4 API calls 51274->51277 51276 403494 4 API calls 51275->51276 51276->51279 51277->51279 51280 47b372 51278->51280 51281 47b3a0 51278->51281 51279->51229 51282 47b38e 51280->51282 51283 47b37b 51280->51283 51286 47b3ae 51281->51286 51287 47b3dd 51281->51287 51464->51216 51466 40382f 51465->51466 51467 403804 51465->51467 51466->51216 51468 4038a4 4 API calls 51467->51468 51468->51466 51469->51216 51474->51222 51475->51233 51476->51234 51477->51252 51553->51197 51555 47dd56 51554->51555 51556 47dd19 51554->51556 51555->50566 51586 455d0c 51556->51586 51560 47dd6d 51560->50566 51705 466714 51561->51705 51564->50574 51566 42f56c 51565->51566 51567 42f58f GetActiveWindow GetFocus 51566->51567 51568 41eea4 2 API calls 51567->51568 51569 42f5a6 51568->51569 51570 42f5c3 51569->51570 51571 42f5b3 RegisterClassA 51569->51571 51572 42f652 SetFocus 51570->51572 51573 42f5d1 CreateWindowExA 51570->51573 51571->51570 51574 403400 4 API calls 51572->51574 51573->51572 51575 42f604 51573->51575 51576 42f66e 51574->51576 51736 42427c 51575->51736 51581 494f3c 18 API calls 51576->51581 51578 42f62c 51579 42f634 CreateWindowExA 51578->51579 51579->51572 51580 42f64a ShowWindow 51579->51580 51580->51572 51581->50612 51742 44b514 51582->51742 51587 455d1d 51586->51587 51588 455d21 51587->51588 51589 455d2a 51587->51589 51612 455a10 51588->51612 51620 455af0 29 API calls 51589->51620 51592 455d27 51592->51555 51593 47d970 51592->51593 51598 47da6c 51593->51598 51600 47d9b0 51593->51600 51594 403420 4 API calls 51595 47db4f 51594->51595 51595->51560 51605 47dabd 51598->51605 51608 47da0f 51598->51608 51675 479630 51598->51675 51600->51598 51601 47da18 51600->51601 51604 47c26c 43 API calls 51600->51604 51600->51608 51649 479770 51600->51649 51660 4798d4 51600->51660 51601->51600 51606 47c26c 43 API calls 51601->51606 51611 47da59 51601->51611 51664 42c92c 51601->51664 51669 42c954 51601->51669 51674 47d67c 52 API calls 51601->51674 51602 47c26c 43 API calls 51602->51605 51603 454100 20 API calls 51603->51605 51604->51600 51605->51598 51605->51602 51605->51603 51605->51611 51606->51601 51608->51594 51611->51608 51621 42de1c 51612->51621 51614 455a2d 51615 455a7b 51614->51615 51624 455944 51614->51624 51615->51592 51618 455944 6 API calls 51619 455a5c RegCloseKey 51618->51619 51619->51592 51620->51592 51622 42de27 51621->51622 51623 42de2d RegOpenKeyExA 51621->51623 51622->51623 51623->51614 51629 42dd58 51624->51629 51626 403420 4 API calls 51627 4559f6 51626->51627 51627->51618 51628 45596c 51628->51626 51632 42dc00 51629->51632 51633 42dc26 RegQueryValueExA 51632->51633 51638 42dc49 51633->51638 51648 42dc6b 51633->51648 51634 403400 4 API calls 51636 42dd37 51634->51636 51635 42dc63 51637 403400 4 API calls 51635->51637 51636->51628 51637->51648 51638->51635 51639 4034e0 4 API calls 51638->51639 51640 403744 4 API calls 51638->51640 51638->51648 51639->51638 51641 42dca0 RegQueryValueExA 51640->51641 51641->51633 51642 42dcbc 51641->51642 51643 4038a4 4 API calls 51642->51643 51642->51648 51644 42dcfe 51643->51644 51645 42dd10 51644->51645 51647 403744 4 API calls 51644->51647 51646 403450 4 API calls 51645->51646 51646->51648 51647->51645 51648->51634 51650 479786 51649->51650 51651 479782 51649->51651 51652 403450 4 API calls 51650->51652 51651->51600 51653 479793 51652->51653 51654 4797b3 51653->51654 51655 479799 51653->51655 51657 479630 19 API calls 51654->51657 51656 479630 19 API calls 51655->51656 51658 4797af 51656->51658 51657->51658 51659 403400 4 API calls 51658->51659 51659->51651 51661 4798e0 51660->51661 51662 4798fb 51661->51662 51687 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51661->51687 51662->51600 51688 42c79c 51664->51688 51667 403778 4 API calls 51668 42c94e 51667->51668 51668->51601 51670 42c79c IsDBCSLeadByte 51669->51670 51671 42c964 51670->51671 51672 403778 4 API calls 51671->51672 51673 42c975 51672->51673 51673->51601 51674->51601 51676 47964b 51675->51676 51679 47967c 51676->51679 51686 47970a 51676->51686 51700 4794e4 19 API calls 51676->51700 51677 4796a1 51682 4796c2 51677->51682 51702 4794e4 19 API calls 51677->51702 51679->51677 51701 4794e4 19 API calls 51679->51701 51683 479702 51682->51683 51682->51686 51703 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51682->51703 51694 479368 51683->51694 51686->51598 51687->51662 51689 42c67c IsDBCSLeadByte 51688->51689 51691 42c7b1 51689->51691 51690 42c7fb 51690->51667 51691->51690 51693 42c444 IsDBCSLeadByte 51691->51693 51693->51691 51695 4793a3 51694->51695 51696 403450 4 API calls 51695->51696 51697 4793c8 51696->51697 51704 477a58 19 API calls 51697->51704 51699 479409 51699->51686 51700->51679 51701->51677 51702->51682 51703->51683 51704->51699 51706 403494 4 API calls 51705->51706 51707 466742 51706->51707 51722 42dbc8 51707->51722 51710 42dbc8 5 API calls 51711 466766 51710->51711 51712 466600 19 API calls 51711->51712 51713 466770 51712->51713 51714 42dbc8 5 API calls 51713->51714 51715 46677f 51714->51715 51725 466678 51715->51725 51718 42dbc8 5 API calls 51719 466798 51718->51719 51720 403400 4 API calls 51719->51720 51721 4667ad 51720->51721 51721->50570 51729 42db10 51722->51729 51726 466698 51725->51726 51727 4078f4 19 API calls 51726->51727 51728 4666e2 51727->51728 51728->51718 51730 42db30 51729->51730 51731 42dbbb 51729->51731 51730->51731 51732 4037b8 4 API calls 51730->51732 51734 403800 4 API calls 51730->51734 51735 42c444 IsDBCSLeadByte 51730->51735 51731->51710 51732->51730 51734->51730 51735->51730 51737 4242ae 51736->51737 51738 42428e GetWindowTextA 51736->51738 51740 403494 4 API calls 51737->51740 51739 4034e0 4 API calls 51738->51739 51741 4242ac 51739->51741 51740->51741 51741->51578 51745 44b38c 51742->51745 51746 44b3bf 51745->51746 51747 414ae8 4 API calls 51746->51747 51748 44b3d2 51747->51748 51749 44b3ff GetDC 51748->51749 51750 40357c 4 API calls 51748->51750 51756 41a1e8 51749->51756 51750->51749 51753 44b430 51764 44b0c0 51753->51764 51757 41a213 51756->51757 51758 41a2af 51756->51758 51775 403520 51757->51775 51759 403400 4 API calls 51758->51759 51760 41a2c7 SelectObject 51759->51760 51760->51753 51762 41a26b 51776 4034e0 4 API calls 51775->51776 51777 40352a 51776->51777 51777->51762 51781 4652d7 51778->51781 51779 4653b2 51789 46708c 51779->51789 51780 46536a 51780->51779 51807 4185b8 7 API calls 51780->51807 51781->51779 51784 465327 51781->51784 51801 421a1c 51781->51801 51784->51780 51785 465361 51784->51785 51786 46536c 51784->51786 51787 421a1c 7 API calls 51785->51787 51788 421a1c 7 API calls 51786->51788 51787->51780 51788->51780 51790 4670bc 51789->51790 51791 46709d 51789->51791 51790->50631 51792 414b18 4 API calls 51791->51792 51793 4670ab 51792->51793 51794 414b18 4 API calls 51793->51794 51794->51790 51802 421a74 51801->51802 51804 421a2a 51801->51804 51802->51784 51803 421a59 51803->51802 51816 421d28 SetFocus GetFocus 51803->51816 51804->51803 51808 408cbc 51804->51808 51807->51779 51809 408cc8 51808->51809 51817 406dec LoadStringA 51809->51817 51812 403450 4 API calls 51813 408cf9 51812->51813 51814 403400 4 API calls 51813->51814 51815 408d0e 51814->51815 51815->51803 51816->51802 51818 4034e0 4 API calls 51817->51818 51819 406e19 51818->51819 51819->51812 51868 46c7a5 51867->51868 51869 414ae8 4 API calls 51868->51869 51884 46c7f2 51868->51884 51870 46c7bb 51869->51870 52074 466924 6 API calls 51870->52074 51871 403420 4 API calls 51873 46c89c 51871->51873 51873->50711 52066 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51873->52066 51874 46c7c3 51875 414b18 4 API calls 51874->51875 51876 46c7d1 51875->51876 51877 46c7de 51876->51877 51879 46c7f7 51876->51879 52075 47efd0 42 API calls 51877->52075 51880 46c80f 51879->51880 51882 466a08 CharNextA 51879->51882 52076 47efd0 42 API calls 51880->52076 51883 46c80b 51882->51883 51883->51880 51885 46c825 51883->51885 51884->51871 51886 46c841 51885->51886 51887 46c82b 51885->51887 51889 42c99c CharNextA 51886->51889 52077 47efd0 42 API calls 51887->52077 51890 46c84e 51889->51890 51890->51884 52078 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51890->52078 51892 46c865 51893 451458 4 API calls 51892->51893 51894 46c872 51893->51894 52079 47efd0 42 API calls 51894->52079 51897 4241ed SetActiveWindow 51896->51897 51901 424223 51896->51901 52080 42364c 51897->52080 51901->50723 51901->50724 51902 42420a 51902->51901 51903 42421d SetFocus 51902->51903 51903->51901 51905 482505 51904->51905 51906 4824d7 51904->51906 51908 475bd0 51905->51908 52093 494cec 18 API calls 51906->52093 52094 457d10 51908->52094 52067->50719 52074->51874 52075->51884 52076->51884 52077->51884 52078->51892 52079->51884 52089 4235f8 SystemParametersInfoA 52080->52089 52083 423665 ShowWindow 52085 423670 52083->52085 52086 423677 52083->52086 52092 423628 SystemParametersInfoA 52085->52092 52088 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52086->52088 52088->51902 52090 423616 52089->52090 52090->52083 52091 423628 SystemParametersInfoA 52090->52091 52091->52083 52092->52086 52093->51905 52095 457e44 52094->52095 52096 457d3c 52094->52096 52097 457e95 52095->52097 52570 45757c 6 API calls 52095->52570 52566 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52096->52566 52100 403400 4 API calls 52097->52100 52102 457eaa 52100->52102 52101 457d44 52103 4078f4 19 API calls 52101->52103 52115 4072a8 52102->52115 52104 457db5 52103->52104 52567 457d00 20 API calls 52104->52567 52110 457dbd 52116 403738 52115->52116 52117 4072b2 SetCurrentDirectoryA 52116->52117 52566->52101 52567->52110 52570->52097 53759 431eec 53720->53759 53722 43d9f2 53723 403400 4 API calls 53722->53723 53724 43da76 53723->53724 53724->50780 53724->50781 53726 431bd6 53725->53726 53727 402648 4 API calls 53726->53727 53728 431c06 53727->53728 53729 4947f8 53728->53729 53730 4948cd 53729->53730 53731 494812 53729->53731 53736 494910 53730->53736 53731->53730 53733 433d6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53731->53733 53735 403450 4 API calls 53731->53735 53764 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53731->53764 53765 431ca0 53731->53765 53733->53731 53735->53731 53737 49492c 53736->53737 53773 433d6c 53737->53773 53739 494931 53740 431ca0 4 API calls 53739->53740 53741 49493c 53740->53741 53742 43d594 53741->53742 53743 43d5c1 53742->53743 53744 43d5b3 53742->53744 53743->50791 53744->53743 53745 43d63d 53744->53745 53749 447084 4 API calls 53744->53749 53752 43d6f7 53745->53752 53776 447084 53745->53776 53747 43d688 53782 43dd50 53747->53782 53749->53744 53750 43d8fd 53750->53743 53802 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53750->53802 53752->53750 53753 43d8de 53752->53753 53800 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53752->53800 53801 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53753->53801 53756->50793 53757->50795 53758->50782 53760 403494 4 API calls 53759->53760 53762 431efb 53760->53762 53761 431f25 53761->53722 53762->53761 53763 403744 4 API calls 53762->53763 53763->53762 53764->53731 53766 431cc0 53765->53766 53767 431cae 53765->53767 53769 431ce2 53766->53769 53772 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53766->53772 53771 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53767->53771 53769->53731 53771->53766 53772->53769 53774 402648 4 API calls 53773->53774 53775 433d7b 53774->53775 53775->53739 53777 4470a3 53776->53777 53778 4470aa 53776->53778 53803 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53777->53803 53780 431ca0 4 API calls 53778->53780 53781 4470ba 53780->53781 53781->53747 53783 43dd6c 53782->53783 53788 43dd99 53782->53788 53784 402660 4 API calls 53783->53784 53783->53788 53784->53783 53785 43ddce 53785->53752 53787 43fea5 53787->53785 53813 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53787->53813 53788->53785 53788->53787 53789 43c938 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53789 53790 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53790 53792 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53792 53795 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53795 53797 433d18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53797 53798 436650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53798 53799 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53799 53804 4396e0 53788->53804 53810 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53810 53811 43dc48 18 API calls 53788->53811 53812 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53812 53789->53788 53790->53788 53792->53788 53795->53788 53797->53788 53798->53788 53799->53788 53800->53752 53801->53750 53802->53750 53803->53778 53805 4396e9 53804->53805 53810->53788 53811->53788 53812->53788 53813->53787 53816 41fb58 53817 41fb61 53816->53817 53820 41fdfc 53817->53820 53819 41fb6e 53821 41feee 53820->53821 53822 41fe13 53820->53822 53821->53819 53822->53821 53841 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53822->53841 53824 41fe49 53825 41fe73 53824->53825 53826 41fe4d 53824->53826 53851 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53825->53851 53842 41fb9c 53826->53842 53830 41fe81 53832 41fe85 53830->53832 53833 41feab 53830->53833 53831 41fb9c 10 API calls 53840 41fe71 53831->53840 53834 41fb9c 10 API calls 53832->53834 53835 41fb9c 10 API calls 53833->53835 53836 41fe97 53834->53836 53837 41febd 53835->53837 53839 41fb9c 10 API calls 53836->53839 53838 41fb9c 10 API calls 53837->53838 53838->53840 53839->53840 53840->53819 53841->53824 53843 41fbb7 53842->53843 53844 41fbcd 53843->53844 53845 41f93c 4 API calls 53843->53845 53852 41f93c 53844->53852 53845->53844 53847 41fc15 53848 41fc38 SetScrollInfo 53847->53848 53860 41fa9c 53848->53860 53851->53830 53853 4181e0 53852->53853 53854 41f959 GetWindowLongA 53853->53854 53855 41f996 53854->53855 53856 41f976 53854->53856 53872 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53855->53872 53871 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53856->53871 53859 41f982 53859->53847 53861 41faaa 53860->53861 53862 41fab2 53860->53862 53861->53831 53863 41faf1 53862->53863 53864 41fae1 53862->53864 53870 41faef 53862->53870 53874 417e48 IsWindowVisible ScrollWindow SetWindowPos 53863->53874 53873 417e48 IsWindowVisible ScrollWindow SetWindowPos 53864->53873 53865 41fb31 GetScrollPos 53865->53861 53868 41fb3c 53865->53868 53869 41fb4b SetScrollPos 53868->53869 53869->53861 53870->53865 53871->53859 53872->53859 53873->53870 53874->53870 53875 420598 53876 4205ab 53875->53876 53896 415b30 53876->53896 53878 4206f2 53879 420709 53878->53879 53903 4146d4 KiUserCallbackDispatcher 53878->53903 53883 420720 53879->53883 53904 414718 KiUserCallbackDispatcher 53879->53904 53880 420651 53901 420848 20 API calls 53880->53901 53881 4205e6 53881->53878 53881->53880 53889 420642 MulDiv 53881->53889 53885 420742 53883->53885 53905 420060 12 API calls 53883->53905 53887 42066a 53887->53878 53902 420060 12 API calls 53887->53902 53900 41a304 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53889->53900 53892 420687 53893 4206a3 MulDiv 53892->53893 53894 4206c6 53892->53894 53893->53894 53894->53878 53895 4206cf MulDiv 53894->53895 53895->53878 53897 415b42 53896->53897 53906 414470 53897->53906 53899 415b5a 53899->53881 53900->53880 53901->53887 53902->53892 53903->53879 53904->53883 53905->53885 53907 41448a 53906->53907 53910 410458 53907->53910 53909 4144a0 53909->53899 53913 40dca4 53910->53913 53912 41045e 53912->53909 53914 40dd06 53913->53914 53915 40dcb7 53913->53915 53920 40dd14 53914->53920 53918 40dd14 19 API calls 53915->53918 53919 40dce1 53918->53919 53919->53912 53921 40dd24 53920->53921 53923 40dd3a 53921->53923 53932 40e09c 53921->53932 53948 40d5e0 53921->53948 53951 40df4c 53923->53951 53926 40d5e0 5 API calls 53927 40dd42 53926->53927 53927->53926 53928 40ddae 53927->53928 53954 40db60 53927->53954 53929 40df4c 5 API calls 53928->53929 53931 40dd10 53929->53931 53931->53912 53968 40e96c 53932->53968 53934 403778 4 API calls 53936 40e0d7 53934->53936 53935 40e18d 53937 40e1b7 53935->53937 53938 40e1a8 53935->53938 53936->53934 53936->53935 54031 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53936->54031 54032 40e080 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53936->54032 54028 40ba24 53937->54028 53977 40e3c0 53938->53977 53944 40e1b5 53945 403400 4 API calls 53944->53945 53946 40e25c 53945->53946 53946->53921 53949 40ea08 5 API calls 53948->53949 53950 40d5ea 53949->53950 53950->53921 54065 40d4bc 53951->54065 54074 40df54 53954->54074 53957 40e96c 5 API calls 53958 40db9e 53957->53958 53959 40e96c 5 API calls 53958->53959 53960 40dba9 53959->53960 53961 40dbc4 53960->53961 53962 40dbbb 53960->53962 53967 40dbc1 53960->53967 54081 40d9d8 53961->54081 54084 40dac8 19 API calls 53962->54084 53965 403420 4 API calls 53966 40dc8f 53965->53966 53966->53927 53967->53965 54034 40d780 53968->54034 53971 4034e0 4 API calls 53972 40e98f 53971->53972 53973 403744 4 API calls 53972->53973 53974 40e996 53973->53974 53975 40d780 5 API calls 53974->53975 53976 40e9a4 53975->53976 53976->53936 53978 40e3ec 53977->53978 53980 40e3f6 53977->53980 54039 40d440 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53978->54039 53981 40e511 53980->53981 53982 40e495 53980->53982 53983 40e4f6 53980->53983 53984 40e576 53980->53984 53985 40e438 53980->53985 53986 40e4d9 53980->53986 53987 40e47a 53980->53987 53988 40e4bb 53980->53988 53999 40e45c 53980->53999 53991 40d764 5 API calls 53981->53991 54047 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53982->54047 54052 40e890 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53983->54052 53995 40d764 5 API calls 53984->53995 54040 40d764 53985->54040 54050 40e9a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53986->54050 54046 40d818 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53987->54046 54049 40dde4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53988->54049 54000 40e519 53991->54000 53994 403400 4 API calls 54001 40e5eb 53994->54001 54002 40e57e 53995->54002 53998 40e4a0 54048 40d470 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53998->54048 53999->53994 54008 40e523 54000->54008 54009 40e51d 54000->54009 54001->53944 54010 40e582 54002->54010 54011 40e59b 54002->54011 54003 40e4e4 54051 409d38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54003->54051 54005 40e461 54045 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54005->54045 54006 40e444 54043 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54006->54043 54053 40ea08 54008->54053 54016 40e521 54009->54016 54017 40e53c 54009->54017 54019 40ea08 5 API calls 54010->54019 54059 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54011->54059 54057 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54016->54057 54020 40ea08 5 API calls 54017->54020 54019->53999 54022 40e544 54020->54022 54021 40e44f 54044 40e26c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54021->54044 54056 40d8a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54022->54056 54025 40e566 54058 40e2d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54025->54058 54060 40b9d0 54028->54060 54031->53936 54032->53936 54033 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54033->53944 54037 40d78b 54034->54037 54035 40d7c5 54035->53971 54037->54035 54038 40d7cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54037->54038 54038->54037 54039->53980 54041 40ea08 5 API calls 54040->54041 54042 40d76e 54041->54042 54042->54005 54042->54006 54043->54021 54044->53999 54045->53999 54046->53999 54047->53998 54048->53999 54049->53999 54050->54003 54051->53999 54052->53999 54054 40d780 5 API calls 54053->54054 54055 40ea15 54054->54055 54055->53999 54056->53999 54057->54025 54058->53999 54059->53999 54061 40b9e2 54060->54061 54063 40ba07 54060->54063 54061->54063 54064 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54061->54064 54063->53944 54063->54033 54064->54063 54066 40ea08 5 API calls 54065->54066 54068 40d4c9 54066->54068 54067 40d4dc 54067->53927 54068->54067 54072 40eb0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54068->54072 54070 40d4d7 54073 40d458 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54070->54073 54072->54070 54073->54067 54075 40d764 5 API calls 54074->54075 54076 40df6b 54075->54076 54077 40ea08 5 API calls 54076->54077 54080 40db93 54076->54080 54078 40df78 54077->54078 54078->54080 54085 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54078->54085 54080->53957 54086 40ab7c 19 API calls 54081->54086 54083 40da00 54083->53967 54084->53967 54085->54080 54086->54083 56292 41363c SetWindowLongA GetWindowLongA 56293 413699 SetPropA SetPropA 56292->56293 56294 41367b GetWindowLongA 56292->56294 56299 41f39c 56293->56299 56294->56293 56295 41368a SetWindowLongA 56294->56295 56295->56293 56304 415270 56299->56304 56311 423c0c 56299->56311 56405 423a84 56299->56405 56300 4136e9 56305 41527d 56304->56305 56306 4152e3 56305->56306 56307 4152d8 56305->56307 56310 4152e1 56305->56310 56412 424b8c 13 API calls 56306->56412 56307->56310 56413 41505c 46 API calls 56307->56413 56310->56300 56314 423c42 56311->56314 56330 423c63 56314->56330 56414 423b68 56314->56414 56315 423cec 56317 423cf3 56315->56317 56318 423d27 56315->56318 56316 423c8d 56319 423c93 56316->56319 56320 423d50 56316->56320 56325 423cf9 56317->56325 56363 423fb1 56317->56363 56321 423d32 56318->56321 56322 42409a IsIconic 56318->56322 56326 423cc5 56319->56326 56327 423c98 56319->56327 56323 423d62 56320->56323 56324 423d6b 56320->56324 56328 4240d6 56321->56328 56329 423d3b 56321->56329 56322->56330 56334 4240ae GetFocus 56322->56334 56331 423d78 56323->56331 56332 423d69 56323->56332 56421 424194 11 API calls 56324->56421 56335 423f13 SendMessageA 56325->56335 56336 423d07 56325->56336 56326->56330 56354 423cde 56326->56354 56355 423e3f 56326->56355 56337 423df6 56327->56337 56338 423c9e 56327->56338 56435 424850 WinHelpA PostMessageA 56328->56435 56340 4240ed 56329->56340 56364 423cc0 56329->56364 56330->56300 56341 4241dc 11 API calls 56331->56341 56422 423b84 NtdllDefWindowProc_A 56332->56422 56334->56330 56342 4240bf 56334->56342 56335->56330 56336->56330 56336->56364 56385 423f56 56336->56385 56426 423b84 NtdllDefWindowProc_A 56337->56426 56343 423ca7 56338->56343 56344 423e1e PostMessageA 56338->56344 56352 4240f6 56340->56352 56353 42410b 56340->56353 56341->56330 56434 41eff4 GetCurrentThreadId EnumThreadWindows 56342->56434 56349 423cb0 56343->56349 56350 423ea5 56343->56350 56427 423b84 NtdllDefWindowProc_A 56344->56427 56358 423cb9 56349->56358 56359 423dce IsIconic 56349->56359 56360 423eae 56350->56360 56361 423edf 56350->56361 56351 423e39 56351->56330 56362 4244d4 5 API calls 56352->56362 56436 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56353->56436 56354->56364 56365 423e0b 56354->56365 56418 423b84 NtdllDefWindowProc_A 56355->56418 56357 4240c6 56357->56330 56369 4240ce SetFocus 56357->56369 56358->56364 56370 423d91 56358->56370 56372 423dea 56359->56372 56373 423dde 56359->56373 56429 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56360->56429 56419 423b84 NtdllDefWindowProc_A 56361->56419 56362->56330 56363->56330 56379 423fd7 IsWindowEnabled 56363->56379 56364->56330 56420 423b84 NtdllDefWindowProc_A 56364->56420 56367 424178 12 API calls 56365->56367 56367->56330 56368 423e45 56376 423e83 56368->56376 56377 423e61 56368->56377 56369->56330 56370->56330 56423 422c4c ShowWindow PostMessageA PostQuitMessage 56370->56423 56425 423b84 NtdllDefWindowProc_A 56372->56425 56424 423bc0 15 API calls 56373->56424 56386 423a84 6 API calls 56376->56386 56428 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56377->56428 56378 423eb6 56388 423ec8 56378->56388 56395 41ef58 6 API calls 56378->56395 56379->56330 56389 423fe5 56379->56389 56382 423ee5 56383 423efd 56382->56383 56390 41eea4 2 API calls 56382->56390 56391 423a84 6 API calls 56383->56391 56385->56330 56393 423f78 IsWindowEnabled 56385->56393 56394 423e8b PostMessageA 56386->56394 56430 423b84 NtdllDefWindowProc_A 56388->56430 56398 423fec IsWindowVisible 56389->56398 56390->56383 56391->56330 56392 423e69 PostMessageA 56392->56330 56393->56330 56397 423f86 56393->56397 56394->56330 56395->56388 56431 412310 7 API calls 56397->56431 56398->56330 56400 423ffa GetFocus 56398->56400 56401 4181e0 56400->56401 56402 42400f SetFocus 56401->56402 56432 415240 56402->56432 56406 423b0d 56405->56406 56407 423a94 56405->56407 56406->56300 56407->56406 56408 423a9a EnumWindows 56407->56408 56408->56406 56409 423ab6 GetWindow GetWindowLongA 56408->56409 56437 423a1c GetWindow 56408->56437 56410 423ad5 56409->56410 56410->56406 56411 423b01 SetWindowPos 56410->56411 56411->56406 56411->56410 56412->56310 56413->56310 56415 423b72 56414->56415 56416 423b7d 56414->56416 56415->56416 56417 408720 7 API calls 56415->56417 56416->56315 56416->56316 56417->56416 56418->56368 56419->56382 56420->56330 56421->56330 56422->56330 56423->56330 56424->56330 56425->56330 56426->56330 56427->56351 56428->56392 56429->56378 56430->56330 56431->56330 56433 41525b SetFocus 56432->56433 56433->56330 56434->56357 56435->56351 56436->56351 56438 423a3d GetWindowLongA 56437->56438 56439 423a49 56437->56439 56438->56439 56440 4809f7 56441 480a00 56440->56441 56443 480a2b 56440->56443 56442 480a1d 56441->56442 56441->56443 56812 476c50 189 API calls 56442->56812 56444 480a6a 56443->56444 56814 47f4a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56443->56814 56445 480a8e 56444->56445 56448 480a81 56444->56448 56449 480a83 56444->56449 56454 480aca 56445->56454 56455 480aac 56445->56455 56458 47f4e8 42 API calls 56448->56458 56816 47f57c 42 API calls 56449->56816 56450 480a22 56450->56443 56813 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56450->56813 56451 480a5d 56815 47f50c 42 API calls 56451->56815 56819 47f33c 24 API calls 56454->56819 56459 480ac1 56455->56459 56817 47f50c 42 API calls 56455->56817 56458->56445 56818 47f33c 24 API calls 56459->56818 56462 480ac8 56463 480ada 56462->56463 56464 480ae0 56462->56464 56465 480ade 56463->56465 56469 47f4e8 42 API calls 56463->56469 56464->56465 56467 47f4e8 42 API calls 56464->56467 56566 47c66c 56465->56566 56467->56465 56469->56465 56567 42d898 GetWindowsDirectoryA 56566->56567 56568 47c690 56567->56568 56569 403450 4 API calls 56568->56569 56570 47c69d 56569->56570 56571 42d8c4 GetSystemDirectoryA 56570->56571 56572 47c6a5 56571->56572 56573 403450 4 API calls 56572->56573 56574 47c6b2 56573->56574 56575 42d8f0 6 API calls 56574->56575 56576 47c6ba 56575->56576 56577 403450 4 API calls 56576->56577 56578 47c6c7 56577->56578 56579 47c6d0 56578->56579 56580 47c6ec 56578->56580 56851 42d208 56579->56851 56582 403400 4 API calls 56580->56582 56584 47c6ea 56582->56584 56586 47c731 56584->56586 56588 42c8cc 5 API calls 56584->56588 56585 403450 4 API calls 56585->56584 56831 47c4f4 56586->56831 56590 47c70c 56588->56590 56592 403450 4 API calls 56590->56592 56591 403450 4 API calls 56593 47c74d 56591->56593 56594 47c719 56592->56594 56595 47c76b 56593->56595 56596 4035c0 4 API calls 56593->56596 56594->56586 56598 403450 4 API calls 56594->56598 56597 47c4f4 8 API calls 56595->56597 56596->56595 56599 47c77a 56597->56599 56598->56586 56600 403450 4 API calls 56599->56600 56601 47c787 56600->56601 56602 47c7af 56601->56602 56604 42c3fc 5 API calls 56601->56604 56603 47c816 56602->56603 56605 47c4f4 8 API calls 56602->56605 56607 47c8de 56603->56607 56608 47c836 SHGetKnownFolderPath 56603->56608 56606 47c79d 56604->56606 56609 47c7c7 56605->56609 56612 4035c0 4 API calls 56606->56612 56610 47c8e7 56607->56610 56611 47c908 56607->56611 56613 47c850 56608->56613 56614 47c88b SHGetKnownFolderPath 56608->56614 56615 403450 4 API calls 56609->56615 56616 42c3fc 5 API calls 56610->56616 56617 42c3fc 5 API calls 56611->56617 56612->56602 56861 403ba4 7 API calls 56613->56861 56614->56607 56812->56450 56814->56451 56815->56444 56816->56445 56817->56459 56818->56462 56819->56462 56832 42de1c RegOpenKeyExA 56831->56832 56833 47c51a 56832->56833 56834 47c540 56833->56834 56835 47c51e 56833->56835 56836 403400 4 API calls 56834->56836 56837 42dd4c 6 API calls 56835->56837 56838 47c547 56836->56838 56839 47c52a 56837->56839 56838->56591 56840 47c535 RegCloseKey 56839->56840 56841 403400 4 API calls 56839->56841 56840->56838 56841->56840 56852 4038a4 4 API calls 56851->56852 56853 42d21b 56852->56853 56854 42d232 GetEnvironmentVariableA 56853->56854 56858 42d245 56853->56858 56863 42dbd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56853->56863 56854->56853 56855 42d23e 56854->56855 56857 403400 4 API calls 56855->56857 56857->56858 56858->56585 56863->56853
                                                                          Strings
                                                                          • Version of existing file: (none), xrefs: 00470CFA
                                                                          • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                          • Stripped read-only attribute., xrefs: 00470EC7
                                                                          • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                          • Time stamp of our file: %s, xrefs: 0047099B
                                                                          • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                          • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                          • Same version. Skipping., xrefs: 00470CE5
                                                                          • Installing the file., xrefs: 00470F09
                                                                          • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                          • Same time stamp. Skipping., xrefs: 00470D55
                                                                          • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                          • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                          • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                          • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                          • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                          • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                          • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                          • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                          • .tmp, xrefs: 00470FB7
                                                                          • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                          • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                          • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                          • Dest filename: %s, xrefs: 00470894
                                                                          • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                          • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                          • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                          • Installing into GAC, xrefs: 00471714
                                                                          • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                          • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                          • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                          • Will register the file (a type library) later., xrefs: 00471513
                                                                          • InUn, xrefs: 0047115F
                                                                          • Version of our file: (none), xrefs: 00470AFC
                                                                          • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                          • Dest file exists., xrefs: 004709BB
                                                                          • -- File entry --, xrefs: 004706FB
                                                                          • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                          • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                          • @, xrefs: 004707B0
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                          • API String ID: 0-4021121268
                                                                          • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                          • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                          • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                          • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                          • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                          • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                          • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                          • String ID: CheckTokenMembership$advapi32.dll
                                                                          • API String ID: 2252812187-1888249752
                                                                          • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                          • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                          • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                          • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                          APIs
                                                                          • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                          • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                          • GetProcAddress.KERNEL32(6E580000,RmStartSession), ref: 00450309
                                                                          • GetProcAddress.KERNEL32(6E580000,RmRegisterResources), ref: 0045031E
                                                                          • GetProcAddress.KERNEL32(6E580000,RmGetList), ref: 00450333
                                                                          • GetProcAddress.KERNEL32(6E580000,RmShutdown), ref: 00450348
                                                                          • GetProcAddress.KERNEL32(6E580000,RmRestart), ref: 0045035D
                                                                          • GetProcAddress.KERNEL32(6E580000,RmEndSession), ref: 00450372
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                          • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                          • API String ID: 1968650500-3419246398
                                                                          • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                          • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                          • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                          • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1793 423c45-423c61 call 40b24c 1791->1793 1798 423cec-423cf1 1792->1798 1799 423c8d 1792->1799 1819 423c63-423c6b 1793->1819 1820 423c70-423c72 1793->1820 1800 423cf3 1798->1800 1801 423d27-423d2c 1798->1801 1802 423c93-423c96 1799->1802 1803 423d50-423d60 1799->1803 1809 423fb1-423fb9 1800->1809 1810 423cf9-423d01 1800->1810 1804 423d32-423d35 1801->1804 1805 42409a-4240a8 IsIconic 1801->1805 1811 423cc5-423cc8 1802->1811 1812 423c98 1802->1812 1807 423d62-423d67 1803->1807 1808 423d6b-423d73 call 424194 1803->1808 1813 4240d6-4240eb call 424850 1804->1813 1814 423d3b-423d3c 1804->1814 1815 424152-42415a 1805->1815 1824 4240ae-4240b9 GetFocus 1805->1824 1821 423d78-423d80 call 4241dc 1807->1821 1822 423d69-423d8c call 423b84 1807->1822 1808->1815 1809->1815 1816 423fbf-423fca call 4181e0 1809->1816 1825 423f13-423f3a SendMessageA 1810->1825 1826 423d07-423d0c 1810->1826 1817 423da9-423db0 1811->1817 1818 423cce-423ccf 1811->1818 1827 423df6-423e06 call 423b84 1812->1827 1828 423c9e-423ca1 1812->1828 1813->1815 1831 423d42-423d45 1814->1831 1832 4240ed-4240f4 1814->1832 1829 424171-424177 1815->1829 1816->1815 1878 423fd0-423fdf call 4181e0 IsWindowEnabled 1816->1878 1817->1815 1841 423db6-423dbd 1817->1841 1842 423cd5-423cd8 1818->1842 1843 423f3f-423f46 1818->1843 1819->1829 1820->1792 1820->1793 1821->1815 1822->1815 1824->1815 1836 4240bf-4240c8 call 41eff4 1824->1836 1825->1815 1844 423d12-423d13 1826->1844 1845 42404a-424055 1826->1845 1827->1815 1837 423ca7-423caa 1828->1837 1838 423e1e-423e3a PostMessageA call 423b84 1828->1838 1847 424120-424127 1831->1847 1848 423d4b 1831->1848 1858 4240f6-424109 call 4244d4 1832->1858 1859 42410b-42411e call 42452c 1832->1859 1836->1815 1891 4240ce-4240d4 SetFocus 1836->1891 1855 423cb0-423cb3 1837->1855 1856 423ea5-423eac 1837->1856 1838->1815 1841->1815 1861 423dc3-423dc9 1841->1861 1862 423cde-423ce1 1842->1862 1863 423e3f-423e5f call 423b84 1842->1863 1843->1815 1851 423f4c-423f51 call 404e54 1843->1851 1864 424072-42407d 1844->1864 1865 423d19-423d1c 1844->1865 1845->1815 1849 42405b-42406d 1845->1849 1882 42413a-424149 1847->1882 1883 424129-424138 1847->1883 1866 42414b-42414c call 423b84 1848->1866 1849->1815 1851->1815 1873 423cb9-423cba 1855->1873 1874 423dce-423ddc IsIconic 1855->1874 1875 423eae-423ec1 call 423b14 1856->1875 1876 423edf-423ef0 call 423b84 1856->1876 1858->1815 1859->1815 1861->1815 1879 423ce7 1862->1879 1880 423e0b-423e19 call 424178 1862->1880 1906 423e83-423ea0 call 423a84 PostMessageA 1863->1906 1907 423e61-423e7e call 423b14 PostMessageA 1863->1907 1864->1815 1867 424083-424095 1864->1867 1884 423d22 1865->1884 1885 423f56-423f5e 1865->1885 1903 424151 1866->1903 1867->1815 1892 423cc0 1873->1892 1893 423d91-423d99 1873->1893 1899 423dea-423df1 call 423b84 1874->1899 1900 423dde-423de5 call 423bc0 1874->1900 1922 423ed3-423eda call 423b84 1875->1922 1923 423ec3-423ecd call 41ef58 1875->1923 1916 423ef2-423ef8 call 41eea4 1876->1916 1917 423f06-423f0e call 423a84 1876->1917 1878->1815 1924 423fe5-423ff4 call 4181e0 IsWindowVisible 1878->1924 1879->1866 1880->1815 1882->1815 1883->1815 1884->1866 1885->1815 1890 423f64-423f6b 1885->1890 1890->1815 1908 423f71-423f80 call 4181e0 IsWindowEnabled 1890->1908 1891->1815 1892->1866 1893->1815 1909 423d9f-423da4 call 422c4c 1893->1909 1899->1815 1900->1815 1903->1815 1906->1815 1907->1815 1908->1815 1937 423f86-423f9c call 412310 1908->1937 1909->1815 1935 423efd-423f00 1916->1935 1917->1815 1922->1815 1923->1922 1924->1815 1942 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1924->1942 1935->1917 1937->1815 1946 423fa2-423fac 1937->1946 1942->1815 1946->1815
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                          • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                          • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                          • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2187 4675b4-4675bb 2181->2187 2182->2187 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2187->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2187->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2329 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2329 2321->2329 2347 467bb6-467bd1 2329->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2329->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2431 467f40-467f53 call 4145fc 2428->2431 2432 467f3d 2428->2432 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2431->2429 2432->2431 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2535 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2535 2536 4683d1-4683ee call 44ffdc call 450138 2532->2536 2549 468453 2535->2549 2550 46843b-468442 2535->2550 2536->2535 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2557 46846f-468478 2554->2557 2558 46847a-46847c 2554->2558 2556 468480-46849a 2555->2556 2559 468543-46854a 2556->2559 2560 4684a0-4684a9 2556->2560 2557->2555 2557->2558 2558->2556 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2587 468584-468598 call 403494 2563->2587 2588 468575-468582 call 47c440 2563->2588 2572 4685f0-4685f9 2564->2572 2576 4685ff-468617 call 429fd8 2572->2576 2577 468709-468738 call 42b96c call 44e83c 2572->2577 2589 46868e-468692 2576->2589 2590 468619-46861d 2576->2590 2606 4687e6-4687ea 2577->2606 2607 46873e-468742 2577->2607 2602 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2587->2602 2603 46859a-4685a5 call 403494 2587->2603 2588->2602 2596 468694-46869d 2589->2596 2597 4686e2-4686e6 2589->2597 2598 46861f-468659 call 40b24c call 47c26c 2590->2598 2596->2597 2604 46869f-4686aa 2596->2604 2609 4686fa-468704 call 42a05c 2597->2609 2610 4686e8-4686f8 call 42a05c 2597->2610 2663 46865b-468662 2598->2663 2664 468688-46868c 2598->2664 2602->2572 2603->2602 2604->2597 2614 4686ac-4686b0 2604->2614 2617 4687ec-4687f3 2606->2617 2618 468869-46886d 2606->2618 2616 468744-468756 call 40b24c 2607->2616 2609->2577 2610->2577 2622 4686b2-4686d5 call 40b24c call 406ac4 2614->2622 2641 468788-4687bf call 47c26c call 44cb0c 2616->2641 2642 468758-468786 call 47c26c call 44cbdc 2616->2642 2617->2618 2625 4687f5-4687fc 2617->2625 2626 4688d6-4688df 2618->2626 2627 46886f-468886 call 40b24c 2618->2627 2673 4686d7-4686da 2622->2673 2674 4686dc-4686e0 2622->2674 2625->2618 2636 4687fe-468809 2625->2636 2634 4688e1-4688f9 call 40b24c call 4699fc 2626->2634 2635 4688fe-468913 call 466ee0 call 466c5c 2626->2635 2656 4688c6-4688d4 call 4699fc 2627->2656 2657 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2627->2657 2634->2635 2682 468965-46896f call 414a44 2635->2682 2683 468915-468938 call 42a040 call 40b24c 2635->2683 2636->2635 2644 46880f-468813 2636->2644 2684 4687c4-4687c8 2641->2684 2642->2684 2655 468815-46882b call 40b24c 2644->2655 2679 46885e-468862 2655->2679 2680 46882d-468859 call 42a05c call 4699fc call 46989c 2655->2680 2656->2635 2657->2635 2663->2664 2675 468664-468676 call 406ac4 2663->2675 2664->2589 2664->2598 2673->2597 2674->2597 2674->2622 2675->2664 2701 468678-468682 2675->2701 2679->2655 2694 468864 2679->2694 2680->2635 2696 468974-468993 call 414a44 2682->2696 2715 468943-468952 call 414a44 2683->2715 2716 46893a-468941 2683->2716 2692 4687d3-4687d5 2684->2692 2693 4687ca-4687d1 2684->2693 2700 4687dc-4687e0 2692->2700 2693->2692 2693->2700 2694->2635 2711 468995-4689b8 call 42a040 call 469b5c 2696->2711 2712 4689bd-4689e0 call 47c26c call 403450 2696->2712 2700->2606 2700->2616 2701->2664 2706 468684 2701->2706 2706->2664 2711->2712 2730 4689e2-4689eb 2712->2730 2731 4689fc-468a05 2712->2731 2715->2696 2716->2715 2720 468954-468963 call 414a44 2716->2720 2720->2696 2730->2731 2734 4689ed-4689fa call 47c440 2730->2734 2732 468a07-468a19 call 403684 2731->2732 2733 468a1b-468a2b call 403494 2731->2733 2732->2733 2742 468a2d-468a38 call 403494 2732->2742 2741 468a3d-468a54 call 414b18 2733->2741 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2749 468a5f-468a68 2746->2749 2750 468a6a-468a74 call 42b0e4 2746->2750 2752 468a99-468abe call 403400 * 3 2747->2752 2749->2750 2753 468a79-468a88 call 414a44 2749->2753 2750->2753 2753->2752
                                                                          APIs
                                                                            • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                          • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                            • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                            • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                            • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                            • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                            • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                            • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                            • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                            • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                            • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                            • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                            • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                            • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                          • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0212FC50,02131948,?,?,02131978,?,?,021319C8,?), ref: 004683FD
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                            • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                          • String ID: $(Default)$STOPIMAGE$%H
                                                                          • API String ID: 3231140908-2624782221
                                                                          • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                          • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                          • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                          • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                          • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                          • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID: unins$unins???.*
                                                                          • API String ID: 3541575487-1009660736
                                                                          • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                          • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                          • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                          • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                          • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileFindFirstLast
                                                                          • String ID:
                                                                          • API String ID: 873889042-0
                                                                          • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                          • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                          • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                          • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                          APIs
                                                                          • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                          • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInstanceVersion
                                                                          • String ID:
                                                                          • API String ID: 1462612201-0
                                                                          • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                          • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                          • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                          • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                          APIs
                                                                          • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale
                                                                          • String ID:
                                                                          • API String ID: 2299586839-0
                                                                          • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                          • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                          • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                          • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                          • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                          • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                          • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: NameUser
                                                                          • String ID:
                                                                          • API String ID: 2645101109-0
                                                                          • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                          • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                          • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                          • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                          • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                          • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                          • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 849 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->849 847 46f095-46f09c 846->847 848 46f09e-46f0a5 846->848 847->845 847->848 848->849 856 46f101-46f12a call 403738 call 42dde4 849->856 857 46f0e8-46f0fc call 403738 call 42dec0 849->857 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 899 46f2e4-46f309 call 40b24c call 46ee44 895->899 900 46f2a5-46f2e3 call 46ee44 * 3 895->900 919 46f30b-46f316 call 47c26c 899->919 920 46f318-46f321 call 403494 899->920 900->899 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1024 46f5be-46f5c5 1019->1024 1025 46f629-46f638 1019->1025 1021 46f687-46f6bd call 494cec 1020->1021 1022 46f6df-46f6f5 RegCloseKey 1020->1022 1021->1022 1024->1025 1029 46f5c7-46f5eb call 430bcc 1024->1029 1028 46f63b-46f648 1025->1028 1032 46f65f-46f678 call 430c08 call 46eeb4 1028->1032 1033 46f64a-46f657 1028->1033 1029->1028 1039 46f5ed-46f5ee 1029->1039 1042 46f67d 1032->1042 1033->1032 1035 46f659-46f65d 1033->1035 1035->1020 1035->1032 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1028
                                                                          APIs
                                                                            • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                            • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                          • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Value$Close
                                                                          • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                          • API String ID: 3391052094-3342197833
                                                                          • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                          • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                          • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                          • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1080 4928c9 1062->1080 1078 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1078 1079 492960-49296d call 403684 1070->1079 1071->1060 1078->1060 1090 4929bc-4929c9 call 403684 1079->1090 1091 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1079->1091 1080->1060 1100 492a18-492a25 call 403684 1090->1100 1101 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1090->1101 1091->1060 1113 492a52-492a5f call 403684 1100->1113 1114 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1100->1114 1101->1060 1125 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1113->1125 1126 492aa0-492aad call 403684 1113->1126 1114->1060 1125->1060 1138 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1126->1138 1139 492af4-492b01 call 403684 1126->1139 1138->1060 1152 492b48-492b55 call 403684 1139->1152 1153 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1139->1153 1164 492baa-492bb7 call 403684 1152->1164 1165 492b57-492b75 call 446ff8 call 42e394 1152->1165 1153->1060 1175 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1164->1175 1176 492c31-492c3e call 403684 1164->1176 1185 492b87-492b95 GetLastError call 447278 1165->1185 1186 492b77-492b85 call 447278 1165->1186 1206 492c21-492c2c call 4470d0 1175->1206 1207 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1175->1207 1187 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1176->1187 1188 492c66-492c73 call 403684 1176->1188 1194 492b9a-492ba5 call 447278 1185->1194 1186->1194 1187->1060 1203 492c98-492ca5 call 403684 1188->1203 1204 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1188->1204 1194->1060 1215 492cdb-492ce8 call 403684 1203->1215 1216 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1203->1216 1204->1060 1206->1060 1207->1060 1228 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1215->1228 1229 492d1e 1215->1229 1216->1060 1228->1060 1229->1060
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                          • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FindSleepWindow
                                                                          • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                          • API String ID: 3078808852-3310373309
                                                                          • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                          • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                          • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                          • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1632 483ac8-483acc 1625->1632 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1633 483b29-483b46 1628->1633 1634 483b3d-483b44 1628->1634 1629->1630 1632->1624 1635 483ace-483ad5 call 45271c 1632->1635 1633->1630 1634->1630 1635->1624 1639 483ad7-483ae4 GetProcAddress 1635->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                          • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                          • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                          • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                          • API String ID: 2230631259-2623177817
                                                                          • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                          • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                          • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                          • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1686 468e84 1668->1686 1670 468e94-468eb9 call 42dd4c * 2 1669->1670 1671 468eeb-468ef2 1669->1671 1693 468ebb-468ec4 call 4314f8 1670->1693 1694 468ec9-468edb call 42dd4c 1670->1694 1673 468ef4-468f06 call 42dd4c 1671->1673 1674 468f38-468f3f 1671->1674 1687 468f16-468f28 call 42dd4c 1673->1687 1688 468f08-468f11 call 4314f8 1673->1688 1680 468f41-468f75 call 42dd4c * 3 1674->1680 1681 468f7a-468f90 RegCloseKey 1674->1681 1680->1681 1686->1669 1687->1674 1701 468f2a-468f33 call 4314f8 1687->1701 1688->1687 1693->1694 1694->1671 1704 468edd-468ee6 call 4314f8 1694->1704 1701->1674 1704->1671
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                          Strings
                                                                          • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                          • Inno Setup: App Path, xrefs: 00468E4A
                                                                          • Inno Setup: Icon Group, xrefs: 00468E66
                                                                          • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                          • %s\%s_is1, xrefs: 00468E05
                                                                          • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                          • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                          • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                          • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                          • Inno Setup: No Icons, xrefs: 00468E73
                                                                          • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                          • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1093091907
                                                                          • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                          • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                          • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                          • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                            • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                            • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                          • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                          • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                            • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                          • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                          • API String ID: 3771764029-544719455
                                                                          • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                          • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                          • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                          • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                          APIs
                                                                            • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                          • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                          • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                          • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                          • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                          • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                          • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                          • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                          • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                          • String ID: |6B
                                                                          • API String ID: 183575631-3009739247
                                                                          • Opcode ID: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                          • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                          • Opcode Fuzzy Hash: 4cae07da4ecbd82a5ef2c5022e230c145e19d211ee6ce0cd027d67cd6f27acc7
                                                                          • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1997 47cefb-47cf01 1994->1997 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1997->1991 1997->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(74620000,SHGetFolderPathA), ref: 0047CF7A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                          • API String ID: 190572456-256906917
                                                                          • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                          • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                          • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                          • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                          • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                          • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                          • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                          • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModulePolicyProcess
                                                                          • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                          • API String ID: 3256987805-3653653586
                                                                          • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                          • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                          • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                          • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                          APIs
                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$Prop
                                                                          • String ID: 3A$yA
                                                                          • API String ID: 3887896539-3278460822
                                                                          • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                          • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                          • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                          • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2915 4672d0-4672da call 47d33c 2910->2915 2916 4672df-4672e3 2910->2916 2915->2916 2919 4672e5-467308 call 403738 SHGetFileInfo 2916->2919 2920 46733d-467371 call 403400 * 2 2916->2920 2919->2920 2928 46730a-467311 2919->2928 2928->2920 2931 467313-467338 ExtractIconA call 4670c0 2928->2931 2931->2920 2932->2920
                                                                          APIs
                                                                          • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                            • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                            • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                          • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                          • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                          • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                          • String ID: c:\directory$shell32.dll$%H
                                                                          • API String ID: 3376378930-166502273
                                                                          • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                          • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                          • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                          • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042F58F
                                                                          • GetFocus.USER32 ref: 0042F597
                                                                          • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                          • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                          • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                          • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                          • String ID: TWindowDisabler-Window
                                                                          • API String ID: 3167913817-1824977358
                                                                          • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                          • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                          • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                          • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                          • API String ID: 1646373207-2130885113
                                                                          • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                          • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                          • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                          • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                          APIs
                                                                          • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                          • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                          • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                          • API String ID: 4130936913-2943970505
                                                                          • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                          • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                          • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                          • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                            • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                            • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                            • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                            • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                          • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                          • API String ID: 854858120-615399546
                                                                          • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                          • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                          • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                          • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                          APIs
                                                                          • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                          • OemToCharA.USER32(?,?), ref: 0042375C
                                                                          • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Char$FileIconLoadLowerModuleName
                                                                          • String ID: 2$MAINICON
                                                                          • API String ID: 3935243913-3181700818
                                                                          • Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                          • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                          • Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                          • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 00495519
                                                                            • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                          • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                          Strings
                                                                          • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                          • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                          • API String ID: 2948443157-222967699
                                                                          • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                          • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                          • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                          • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                          APIs
                                                                          • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                          • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                            • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                            • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                            • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                            • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                            • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                            • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                            • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                            • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                            • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                            • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                            • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                            • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                            • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                          • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                          • API String ID: 316262546-2767913252
                                                                          • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                          • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                          • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                          • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                          APIs
                                                                          • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                          • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                          • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                          • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$Prop
                                                                          • String ID:
                                                                          • API String ID: 3887896539-0
                                                                          • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                          • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                          • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                          • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                          Strings
                                                                          • PendingFileRenameOperations, xrefs: 00455754
                                                                          • PendingFileRenameOperations2, xrefs: 00455784
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                          • WININIT.INI, xrefs: 004557E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                          • API String ID: 47109696-2199428270
                                                                          • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                          • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                          • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                          • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                          • API String ID: 1375471231-2952887711
                                                                          • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                          • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                          • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                          • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                          APIs
                                                                          • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                          • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                          • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnumLongWindows
                                                                          • String ID: \AB
                                                                          • API String ID: 4191631535-3948367934
                                                                          • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                          • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                          • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                          • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                          APIs
                                                                          • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                          • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressDeleteHandleModuleProc
                                                                          • String ID: RegDeleteKeyExA$advapi32.dll
                                                                          • API String ID: 588496660-1846899949
                                                                          • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                          • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                          • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                          • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                          Strings
                                                                          • NextButtonClick, xrefs: 0046BC4C
                                                                          • Need to restart Windows? %s, xrefs: 0046BE95
                                                                          • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                          • API String ID: 0-2329492092
                                                                          • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                          • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                          • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                          • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                          • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveChangeNotifyWindow
                                                                          • String ID: $Need to restart Windows? %s
                                                                          • API String ID: 1160245247-4200181552
                                                                          • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                          • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                          • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                          • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                          APIs
                                                                            • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                          • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                          • String ID: Creating directory: %s
                                                                          • API String ID: 2451617938-483064649
                                                                          • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                          • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                          • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                          • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressByteCharMultiProcWide
                                                                          • String ID: SfcIsFileProtected$sfc.dll
                                                                          • API String ID: 2508298434-591603554
                                                                          • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                          • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                          • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                          • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                          APIs
                                                                          • 74D51520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                          • 74D51500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                          • 74D51540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: D51500D51520D51540
                                                                          • String ID: %E
                                                                          • API String ID: 4212506595-175436132
                                                                          • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                          • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                          • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                          • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0044B401
                                                                          • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                          • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectReleaseSelect
                                                                          • String ID: %H
                                                                          • API String ID: 1831053106-1959103961
                                                                          • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                          • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                          • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                          • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                          • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                          • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$ByteCharMultiWide
                                                                          • String ID: %H
                                                                          • API String ID: 65125430-1959103961
                                                                          • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                          • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                          • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                          • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                          APIs
                                                                          • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                          • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                          • String ID: SHAutoComplete$shlwapi.dll
                                                                          • API String ID: 395431579-1506664499
                                                                          • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                          • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                          • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                          • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                          Strings
                                                                          • PendingFileRenameOperations, xrefs: 00455A40
                                                                          • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                          • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                          • API String ID: 47109696-2115312317
                                                                          • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                          • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                          • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                          • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                          • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                          • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                          • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                          • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                          • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                          • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                          • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                          • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                          • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                          • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                          APIs
                                                                          • GetMenu.USER32(00000000), ref: 00421361
                                                                          • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                          • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Menu
                                                                          • String ID:
                                                                          • API String ID: 3711407533-0
                                                                          • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                          • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                          • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                          • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                          APIs
                                                                          • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                          • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Color$CallMessageProcSendTextWindow
                                                                          • String ID:
                                                                          • API String ID: 601730667-0
                                                                          • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                          • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                          • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                          • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0042311E
                                                                          • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDeviceEnumFontsRelease
                                                                          • String ID:
                                                                          • API String ID: 2698912916-0
                                                                          • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                          • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                          • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                          • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                          APIs
                                                                            • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                          • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                          Strings
                                                                          • EndOffset range exceeded, xrefs: 0045C3CD
                                                                          • NumRecs range exceeded, xrefs: 0045C396
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: File$BuffersFlush
                                                                          • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                          • API String ID: 3593489403-659731555
                                                                          • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                          • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                          • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                          • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                          APIs
                                                                            • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                            • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                            • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                            • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                            • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                            • Part of subcall function 004063C4: 6F0F1CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                            • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                            • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                            • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                            • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                            • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                            • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                            • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                            • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                            • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                            • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                            • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                            • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                            • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                            • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                            • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                            • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                            • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                            • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                            • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                            • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                            • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                          • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                            • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                          • String ID: Setup
                                                                          • API String ID: 504348408-3839654196
                                                                          • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                          • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                          • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                          • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID: $=H
                                                                          • API String ID: 3660427363-3538597426
                                                                          • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                          • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                          • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                          • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID: .tmp
                                                                          • API String ID: 1375471231-2986845003
                                                                          • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                          • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                          • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                          • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                          APIs
                                                                            • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                            • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                            • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                            • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                            • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                            • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                            • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                          • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                          • String ID: SHGetKnownFolderPath$shell32.dll
                                                                          • API String ID: 3869789854-2936008475
                                                                          • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                          • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                          • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                          • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: RegisteredOrganization$RegisteredOwner
                                                                          • API String ID: 3535843008-1113070880
                                                                          • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                          • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                          • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                          • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorFileHandleLast
                                                                          • String ID: CreateFile
                                                                          • API String ID: 2528220319-823142352
                                                                          • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                          • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                          • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                          • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                          • API String ID: 71445658-2565060666
                                                                          • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                          • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                          • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                          • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                          APIs
                                                                            • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                          • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                          • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                          • API String ID: 2906209438-2320870614
                                                                          • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                          • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                          • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                          • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                          APIs
                                                                            • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                            • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                          • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorLibraryLoadModeProc
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2492108670-2683653824
                                                                          • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                          • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                          • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                          • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                          APIs
                                                                          • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID:
                                                                          • API String ID: 2574300362-0
                                                                          • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                          • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                          • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                          • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                          • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                          • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Append$System
                                                                          • String ID:
                                                                          • API String ID: 1489644407-0
                                                                          • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                          • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                          • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                          • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                          APIs
                                                                          • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                          • TranslateMessage.USER32(?), ref: 0042448F
                                                                          • DispatchMessageA.USER32(?), ref: 00424499
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Message$DispatchPeekTranslate
                                                                          • String ID:
                                                                          • API String ID: 4217535847-0
                                                                          • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                          • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                          • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                          • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                          APIs
                                                                          • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                          • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Prop$Window
                                                                          • String ID:
                                                                          • API String ID: 3363284559-0
                                                                          • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                          • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                          • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                          • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                          • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                          • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableEnabledVisible
                                                                          • String ID:
                                                                          • API String ID: 3234591441-0
                                                                          • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                          • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                          • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                          • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow
                                                                          • String ID: PrepareToInstall
                                                                          • API String ID: 2558294473-1101760603
                                                                          • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                          • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                          • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                          • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: /:*?"<>|
                                                                          • API String ID: 0-4078764451
                                                                          • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                          • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                          • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                          • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                          APIs
                                                                          • SetActiveWindow.USER32(?), ref: 00482676
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow
                                                                          • String ID: InitializeWizard
                                                                          • API String ID: 2558294473-2356795471
                                                                          • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                          • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                          • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                          • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                          • API String ID: 47109696-1019749484
                                                                          • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                          • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                          • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                          • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                          Strings
                                                                          • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: Inno Setup: Setup Version
                                                                          • API String ID: 3702945584-4166306022
                                                                          • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                          • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                          • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                          • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                          APIs
                                                                          • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Value
                                                                          • String ID: NoModify
                                                                          • API String ID: 3702945584-1699962838
                                                                          • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                          • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                          • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                          • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                          APIs
                                                                          • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                            • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                            • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                            • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                          • SendNotifyMessageA.USER32(0001044A,00000496,00002711,-00000001), ref: 0047E6BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: EnumFontsMessageNotifyReleaseSend
                                                                          • String ID:
                                                                          • API String ID: 2649214853-0
                                                                          • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                          • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                          • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                          • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                            • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMetricsMultiSystemWide
                                                                          • String ID: /G
                                                                          • API String ID: 224039744-2088674125
                                                                          • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                          • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                          • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                          • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                          APIs
                                                                          • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                          • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseEnum
                                                                          • String ID:
                                                                          • API String ID: 2818636725-0
                                                                          • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                          • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                          • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                          • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                          APIs
                                                                            • Part of subcall function 00495508: GetDC.USER32(00000000), ref: 00495519
                                                                            • Part of subcall function 00495508: SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                            • Part of subcall function 00495508: GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                            • Part of subcall function 00495508: GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                            • Part of subcall function 00495508: ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                          • MulDiv.KERNEL32(?,?,00000006), ref: 00495AFB
                                                                          • MulDiv.KERNEL32(?,?,0000000D), ref: 00495B10
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                                                          • String ID:
                                                                          • API String ID: 844173074-0
                                                                          • Opcode ID: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                          • Instruction ID: abe69acf9078cd54ec5aa8dad2b6463f40ee800cf76dae291ad797c0d2ca63cb
                                                                          • Opcode Fuzzy Hash: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                          • Instruction Fuzzy Hash: FC21D6713012009FDB50DF69C8C5AA637E9EB89314F6446B9FD08CF29ADB35EC058B65
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                          • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 2919029540-0
                                                                          • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                          • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                          • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                          • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                          • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindFree
                                                                          • String ID:
                                                                          • API String ID: 4097029671-0
                                                                          • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                          • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                          • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                          • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                          • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CurrentEnumWindows
                                                                          • String ID:
                                                                          • API String ID: 2396873506-0
                                                                          • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                          • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                          • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                          • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                          APIs
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLastMove
                                                                          • String ID:
                                                                          • API String ID: 55378915-0
                                                                          • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                          • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                          • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                          • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                          APIs
                                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1375471231-0
                                                                          • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                          • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                          • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                          • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                          • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CursorLoad
                                                                          • String ID:
                                                                          • API String ID: 3238433803-0
                                                                          • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                          • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                          • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                          • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                          • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLibraryLoadMode
                                                                          • String ID:
                                                                          • API String ID: 2987862817-0
                                                                          • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                          • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                          • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                          • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                          APIs
                                                                          • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                          • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FolderFreeKnownPathTask
                                                                          • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                          • API String ID: 969438705-544719455
                                                                          • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                          • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                          • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                          • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                          APIs
                                                                          • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                          • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                            • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$FilePointer
                                                                          • String ID:
                                                                          • API String ID: 1156039329-0
                                                                          • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                          • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                          • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                          • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$AllocFree
                                                                          • String ID:
                                                                          • API String ID: 2087232378-0
                                                                          • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                          • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                          • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                          • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                            • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                            • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DefaultInfoLoadLocaleStringSystem
                                                                          • String ID:
                                                                          • API String ID: 1658689577-0
                                                                          • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                          • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                          • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                          • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                          APIs
                                                                          • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: InfoScroll
                                                                          • String ID:
                                                                          • API String ID: 629608716-0
                                                                          • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                          • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                          • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                          • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                          APIs
                                                                            • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                            • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                          • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                            • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                            • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                          • String ID:
                                                                          • API String ID: 3319771486-0
                                                                          • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                          • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                          • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                          • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                          • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                          • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                          APIs
                                                                          • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                          • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                          • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                          • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                          • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                          • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                          • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                          • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                          • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                          • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                          • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                          • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                          APIs
                                                                          • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FormatMessage
                                                                          • String ID:
                                                                          • API String ID: 1306739567-0
                                                                          • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                          • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                          • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                          • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                          APIs
                                                                          • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ExtentPointText
                                                                          • String ID:
                                                                          • API String ID: 566491939-0
                                                                          • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                          • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                          • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                          • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                          APIs
                                                                          • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateWindow
                                                                          • String ID:
                                                                          • API String ID: 716092398-0
                                                                          • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                          • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                          • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                          APIs
                                                                          • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                          • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                          • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                          • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                          APIs
                                                                          • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFind
                                                                          • String ID:
                                                                          • API String ID: 1863332320-0
                                                                          • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                          • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                          • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                          • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                          • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                          • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                          APIs
                                                                          • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                          • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                          • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                          • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                          APIs
                                                                            • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                          • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                            • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 3202724764-0
                                                                          • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                          • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                          • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                          • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                          APIs
                                                                          • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: TextWindow
                                                                          • String ID:
                                                                          • API String ID: 530164218-0
                                                                          • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                          • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                          • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                          • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                          APIs
                                                                          • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CallbackDispatcherUser
                                                                          • String ID:
                                                                          • API String ID: 2492992576-0
                                                                          • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                          • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                          • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                          • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                          • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                          • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                          • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                          • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                          • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                          APIs
                                                                          • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                            • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 734332943-0
                                                                          • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                          • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                          • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                          • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                          APIs
                                                                          • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory
                                                                          • String ID:
                                                                          • API String ID: 1611563598-0
                                                                          • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                          • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                          • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                          • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                          • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                          • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                          • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DestroyWindow
                                                                          • String ID:
                                                                          • API String ID: 3375834691-0
                                                                          • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                          • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                          • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                          • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                          • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                          • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                          • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                          APIs
                                                                          • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                          • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                          • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                          • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1452528299-0
                                                                          • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                          • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                          • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                          • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                          APIs
                                                                          • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 1263568516-0
                                                                          • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                          • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                          • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                          • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                          APIs
                                                                          • LocalAlloc.KERNEL32(00000000,00000644,?,0049B450,004013A3,?,?,00401443,?,?,?,?,?,00401983), ref: 00401353
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AllocLocal
                                                                          • String ID:
                                                                          • API String ID: 3494564517-0
                                                                          • Opcode ID: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                                          • Instruction ID: 71c91fbc4c3ed8fd369fb1531a6952d3d9178ec9d6227f0a2e7a8dd8dab45303
                                                                          • Opcode Fuzzy Hash: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                                          • Instruction Fuzzy Hash: 0CF05E717013018FE724CF29D980656B7E1EBA9365F24807EE5C5D7761D3358C419B94
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                          • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                          • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                          • Instruction Fuzzy Hash:
                                                                          APIs
                                                                          • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                          • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                          • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                          • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                          • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                          • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                          • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                          • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                          • API String ID: 2323315520-3614243559
                                                                          • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                          • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                          • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                          • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 0045862F
                                                                          • QueryPerformanceCounter.KERNEL32(02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 00458638
                                                                          • GetSystemTimeAsFileTime.KERNEL32(02113858,02113858), ref: 00458642
                                                                          • GetCurrentProcessId.KERNEL32(?,02113858,00000000,004588C2,?,?,02113858,00000000,?,00458FBE,?,02113858,00000000), ref: 0045864B
                                                                          • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                          • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02113858,02113858), ref: 004586CF
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                          • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                          • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                          • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                          • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                          • API String ID: 770386003-3271284199
                                                                          • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                          • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                          • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                          • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                          APIs
                                                                            • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                            • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                            • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                            • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC), ref: 004783CC
                                                                            • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                            • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02112BDC,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                          • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                          • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                          • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                          • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                          • API String ID: 883996979-221126205
                                                                          • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                          • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                          • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                          • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                          • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1631623395-0
                                                                          • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                          • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                          • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                          • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00418393
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                          • GetWindowRect.USER32(?), ref: 004183CC
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                          • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                          • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                          • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                          • String ID: ,
                                                                          • API String ID: 2266315723-3772416878
                                                                          • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                          • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                          • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                          • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                          • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                          • String ID: SeShutdownPrivilege
                                                                          • API String ID: 107509674-3733053543
                                                                          • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                          • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                          • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                          • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                          • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                          • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CryptVersion
                                                                          • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                          • API String ID: 1951258720-508647305
                                                                          • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                          • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                          • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                          • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                          • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirstNext
                                                                          • String ID: isRS-$isRS-???.tmp
                                                                          • API String ID: 134685335-3422211394
                                                                          • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                          • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                          • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                          • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                          APIs
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                          • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                          • SetForegroundWindow.USER32(?), ref: 00457649
                                                                          • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                          Strings
                                                                          • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                          • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                          • API String ID: 2236967946-3182603685
                                                                          • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                          • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                          • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                          • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                          • API String ID: 1646373207-3712701948
                                                                          • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                          • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                          • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                          • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417D0F
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID: ,
                                                                          • API String ID: 568898626-3772416878
                                                                          • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                          • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                          • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                          • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                          • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                          • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                          • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                          • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                          • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseErrorFirstModeNext
                                                                          • String ID:
                                                                          • API String ID: 4011626565-0
                                                                          • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                          • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                          • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                          • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                          • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                          • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                          • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                          • String ID:
                                                                          • API String ID: 1177325624-0
                                                                          • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                          • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                          • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                          • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 0048397A
                                                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                          • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                          • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$IconicLong
                                                                          • String ID:
                                                                          • API String ID: 2754861897-0
                                                                          • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                          • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                          • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                          • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                          • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 3541575487-0
                                                                          • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                          • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                          • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                          • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 004241E4
                                                                          • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                            • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                            • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                          • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveFocusIconicShow
                                                                          • String ID:
                                                                          • API String ID: 649377781-0
                                                                          • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                          • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                          • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                          • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 00417D0F
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                          • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                          • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Placement$Iconic
                                                                          • String ID:
                                                                          • API String ID: 568898626-0
                                                                          • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                          • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                          • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                          • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureIconic
                                                                          • String ID:
                                                                          • API String ID: 2277910766-0
                                                                          • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                          • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                          • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                          • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                          APIs
                                                                          • IsIconic.USER32(?), ref: 0042419B
                                                                            • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                            • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                            • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                            • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                          • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                            • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                          • String ID:
                                                                          • API String ID: 2671590913-0
                                                                          • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                          • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                          • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                          • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                          • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                          • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                          • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                          APIs
                                                                          • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: NtdllProc_Window
                                                                          • String ID:
                                                                          • API String ID: 4255912815-0
                                                                          • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                          • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                          • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                          • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                          • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                          • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                          • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                          APIs
                                                                          • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CryptFour
                                                                          • String ID:
                                                                          • API String ID: 2153018856-0
                                                                          • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                          • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                          • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                          • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3210410327.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000002.00000002.3210379573.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3210456737.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_10000000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                          • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                          • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3210410327.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                          • Associated: 00000002.00000002.3210379573.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3210456737.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_10000000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                          • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                          • Instruction Fuzzy Hash:
                                                                          APIs
                                                                            • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                          • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                          • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                          • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                          • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                          • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                          • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                          • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                          • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                          • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                          • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                          • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                          • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                          • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                          • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoadVersion
                                                                          • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                          • API String ID: 1968650500-2910565190
                                                                          • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                          • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                          • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                          • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0041CA40
                                                                          • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                          • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                          • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                          • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                          • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                          • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                          • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                          • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                          • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                          • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                          • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                          • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                          • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                          • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                          • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                          • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                            • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                          • String ID:
                                                                          • API String ID: 269503290-0
                                                                          • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                          • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                          • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                          • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                          • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                          • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                          Strings
                                                                          • CoCreateInstance, xrefs: 004566AF
                                                                          • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                          • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                          • IPropertyStore::Commit, xrefs: 004568E3
                                                                          • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                          • IPersistFile::Save, xrefs: 00456962
                                                                          • {pf32}\, xrefs: 0045671E
                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                          • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInstance$FreeString
                                                                          • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                          • API String ID: 308859552-2363233914
                                                                          • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                          • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                          • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                          • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                          APIs
                                                                          • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                          • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                          • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                          • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                            • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                          • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                          • API String ID: 2000705611-3672972446
                                                                          • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                          • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                          • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                          • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                          • API String ID: 1452528299-3112430753
                                                                          • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                          • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                          • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                          • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 0045CBDA
                                                                          • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                          • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                          • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                          • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                            • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                          • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                          • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                          • API String ID: 59345061-4263478283
                                                                          • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                          • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                          • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                          • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                          APIs
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                          • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                          • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                          • GetDC.USER32(00000000), ref: 0041B402
                                                                          • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                          • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                          • String ID:
                                                                          • API String ID: 644427674-0
                                                                          • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                          • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                          • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                          • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                          APIs
                                                                            • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                          • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                          • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                          • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                          • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                          • API String ID: 971782779-3668018701
                                                                          • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                          • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                          • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                          • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                            • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                          • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                          • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                          Strings
                                                                          • , xrefs: 004548FE
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                          • RegOpenKeyEx, xrefs: 00454910
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue$FormatMessageOpen
                                                                          • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2812809588-1577016196
                                                                          • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                          • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                          • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                          • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                          APIs
                                                                            • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                          Strings
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                          • v4.0.30319, xrefs: 004594F1
                                                                          • v1.1.4322, xrefs: 004595C2
                                                                          • v2.0.50727, xrefs: 0045955B
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                          • .NET Framework not found, xrefs: 0045961D
                                                                          • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                          • .NET Framework version %s not found, xrefs: 00459609
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Close$Open
                                                                          • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                          • API String ID: 2976201327-446240816
                                                                          • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                          • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                          • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                          • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                          • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                          • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                          • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                          • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                          • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                          Strings
                                                                          • Helper isn't responding; killing it., xrefs: 00458A87
                                                                          • Helper process exited., xrefs: 00458AC5
                                                                          • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                          • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                          • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                          • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                          • API String ID: 3355656108-1243109208
                                                                          • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                          • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                          • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                          • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                          APIs
                                                                            • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                            • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                          Strings
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                          • RegCreateKeyEx, xrefs: 004545C3
                                                                          • , xrefs: 004545B1
                                                                          • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFormatMessageQueryValue
                                                                          • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                          • API String ID: 2481121983-1280779767
                                                                          • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                          • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                          • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                          • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                          APIs
                                                                            • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                            • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                          • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                          • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                          • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                          • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                            • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                          • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                          • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                          • API String ID: 1549857992-2312673372
                                                                          • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                          • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                          • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                          • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressCloseHandleModuleProc
                                                                          • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                          • API String ID: 4190037839-2312295185
                                                                          • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                          • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                          • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                          • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 004629FC
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                          • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                          • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                          • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                          • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                          APIs
                                                                          • GetActiveWindow.USER32 ref: 0042F194
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                          • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                          • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                          • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                          • API String ID: 2610873146-3407710046
                                                                          • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                          • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                          • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                          • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                          APIs
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,02113858,00000000), ref: 00458C79
                                                                          • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                          • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                          • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                          • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02113858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                          • String ID: CreateEvent$TransactNamedPipe
                                                                          • API String ID: 2182916169-3012584893
                                                                          • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                          • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                          • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                          • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                          • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                          • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                          • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                          • API String ID: 1914119943-2711329623
                                                                          • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                          • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                          • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                          • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                          APIs
                                                                          • RectVisible.GDI32(?,?), ref: 00416E13
                                                                          • SaveDC.GDI32(?), ref: 00416E27
                                                                          • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                          • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                          • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                          • DeleteObject.GDI32(?), ref: 00416F22
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                          • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                          • DeleteObject.GDI32(?), ref: 00416F6F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                          • String ID:
                                                                          • API String ID: 375863564-0
                                                                          • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                          • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                          • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                          • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                          • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                          • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                          • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                          • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                          • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                          • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                          • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                          • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                          • String ID:
                                                                          • API String ID: 1694776339-0
                                                                          • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                          • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                          • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                          APIs
                                                                          • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                          • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                          • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                          • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                          • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                          • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                          • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                          • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                          • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                          • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$EnableItem$System
                                                                          • String ID:
                                                                          • API String ID: 3985193851-0
                                                                          • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                          • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                          • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                          • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                          • SendNotifyMessageA.USER32(0001044A,00000496,00002710,00000000), ref: 00481A97
                                                                          Strings
                                                                          • DeinitializeSetup, xrefs: 0048190D
                                                                          • GetCustomSetupExitCode, xrefs: 004818B1
                                                                          • Deinitializing Setup., xrefs: 00481872
                                                                          • Restarting Windows., xrefs: 00481A72
                                                                          • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary$MessageNotifySend
                                                                          • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                          • API String ID: 3817813901-1884538726
                                                                          • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                          • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                          • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                          • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                          APIs
                                                                          • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                          • GetActiveWindow.USER32 ref: 0046172B
                                                                          • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                          • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                          • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                          • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                          • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                          • String ID: A
                                                                          • API String ID: 2684663990-3554254475
                                                                          • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                          • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                          • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                          • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                            • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                            • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                          • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                          • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                          • API String ID: 884541143-1710247218
                                                                          • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                          • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                          • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                          • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                          • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                          • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                          • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                          • API String ID: 190572456-3516654456
                                                                          • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                          • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                          • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                          • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                          APIs
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                          • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                          • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                          • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                          • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                          • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Color$StretchText
                                                                          • String ID:
                                                                          • API String ID: 2984075790-0
                                                                          • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                          • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                          • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                          • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                          APIs
                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                          • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDirectoryHandleSystem
                                                                          • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                          • API String ID: 2051275411-1862435767
                                                                          • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                          • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                          • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                          • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                          APIs
                                                                          • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                          • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                          • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                          • GetSysColor.USER32(00000010), ref: 0044D202
                                                                          • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                          • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Text$Color$Draw$OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 1005981011-0
                                                                          • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                          • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                          • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                          • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B745
                                                                          • GetDC.USER32(?), ref: 0041B751
                                                                          • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                          • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                          • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                          • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                          • String ID: %H
                                                                          • API String ID: 3275473261-1959103961
                                                                          • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                          • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                          • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                          • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041BA17
                                                                          • GetDC.USER32(?), ref: 0041BA23
                                                                          • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                          • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                          • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                          • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                          • String ID: %H
                                                                          • API String ID: 3275473261-1959103961
                                                                          • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                          • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                          • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                          • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                          APIs
                                                                            • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                            • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                          • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                          • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                          • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                          • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                          Strings
                                                                          • Deleting Uninstall data files., xrefs: 004964FB
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                          • String ID: Deleting Uninstall data files.
                                                                          • API String ID: 1570157960-2568741658
                                                                          • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                          • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                          • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                          • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                          • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                          Strings
                                                                          • Failed to open Fonts registry key., xrefs: 00470281
                                                                          • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                          • AddFontResource, xrefs: 004702B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                          • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                          • API String ID: 955540645-649663873
                                                                          • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                          • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                          • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                          • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                          APIs
                                                                            • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                            • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                            • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                          • GetVersion.KERNEL32 ref: 00462E60
                                                                          • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                          • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                          • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                          • String ID: Explorer
                                                                          • API String ID: 2594429197-512347832
                                                                          • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                          • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                          • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                          • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                          • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                          • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02112BDC,?,?,?,02112BDC), ref: 004783CC
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,02112BDC,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                          • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                          • API String ID: 2704155762-2318956294
                                                                          • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                          • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                          • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                          • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                            • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                          Strings
                                                                          • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                          • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                          • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                          • Deleting directory: %s, xrefs: 00459E5B
                                                                          • Stripped read-only attribute., xrefs: 00459E94
                                                                          • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                          • Failed to delete directory (%d)., xrefs: 00459F68
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseErrorFindLast
                                                                          • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                          • API String ID: 754982922-1448842058
                                                                          • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                          • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                          • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                          • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                          APIs
                                                                          • GetCapture.USER32 ref: 00422EA4
                                                                          • GetCapture.USER32 ref: 00422EB3
                                                                          • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                          • ReleaseCapture.USER32 ref: 00422EBE
                                                                          • GetActiveWindow.USER32 ref: 00422ECD
                                                                          • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                          • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                          • GetActiveWindow.USER32 ref: 00422FBF
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                          • String ID:
                                                                          • API String ID: 862346643-0
                                                                          • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                          • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                          • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                          • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                          • GetActiveWindow.USER32 ref: 0042F2DA
                                                                          • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                          • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveLong$Message
                                                                          • String ID:
                                                                          • API String ID: 2785966331-0
                                                                          • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                          • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                          • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                          • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0042948A
                                                                          • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                            • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                          • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                          • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                          • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                          • String ID:
                                                                          • API String ID: 1583807278-0
                                                                          • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                          • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                          • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                          • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0041DE27
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                          • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                          • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                          • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                          • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                          • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                          • String ID:
                                                                          • API String ID: 225703358-0
                                                                          • Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                          • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                          • Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                          • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                          APIs
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                          • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load
                                                                          • String ID: $ $Internal error: Item already expanding
                                                                          • API String ID: 1675784387-1948079669
                                                                          • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                          • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                          • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                          • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                          APIs
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileStringWrite
                                                                          • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                          • API String ID: 390214022-3304407042
                                                                          • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                          • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                          • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                          • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                          APIs
                                                                          • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                          • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                          • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ClassInfoLongMessageSendWindow
                                                                          • String ID: COMBOBOX$Inno Setup: Language
                                                                          • API String ID: 3391662889-4234151509
                                                                          • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                          • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                          • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                          • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                          APIs
                                                                          • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                            • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                            • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: InfoLocale$DefaultSystem
                                                                          • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                          • API String ID: 1044490935-665933166
                                                                          • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                          • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                          • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                          • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                          APIs
                                                                          • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                          • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                            • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                          • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                            • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                          • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                          • String ID: ,$?
                                                                          • API String ID: 2359071979-2308483597
                                                                          • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                          • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                          • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                          • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                          APIs
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                          • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                          • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                          • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                          • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                          • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                          • String ID:
                                                                          • API String ID: 1030595962-0
                                                                          • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                          • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                          • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                          • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                          APIs
                                                                          • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                          • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                          • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                          • RealizePalette.GDI32(?), ref: 0041CF92
                                                                          • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                          • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                          • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                          • String ID:
                                                                          • API String ID: 2222416421-0
                                                                          • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                          • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                          • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                          • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                            • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                            • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                            • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                          • TranslateMessage.USER32(?), ref: 004573B3
                                                                          • DispatchMessageA.USER32(?), ref: 004573BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                          • String ID: [Paused]
                                                                          • API String ID: 1007367021-4230553315
                                                                          • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                          • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                          • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                          • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                          APIs
                                                                          • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                          • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                          • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                          • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LoadSleep
                                                                          • String ID: CheckPassword
                                                                          • API String ID: 4023313301-1302249611
                                                                          • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                          • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                          • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                          • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                          APIs
                                                                            • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                            • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                            • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                          • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                          • GetTickCount.KERNEL32 ref: 00477CE6
                                                                          • GetTickCount.KERNEL32 ref: 00477CF0
                                                                          • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                          Strings
                                                                          • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                          • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                          • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                          • API String ID: 613034392-3771334282
                                                                          • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                          • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                          • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                          • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                          Strings
                                                                          • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                          • Fusion.dll, xrefs: 004597DF
                                                                          • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                          • CreateAssemblyCache, xrefs: 00459836
                                                                          • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                          • API String ID: 190572456-3990135632
                                                                          • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                          • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                          • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                          • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                          APIs
                                                                            • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                          • GetFocus.USER32 ref: 0041C168
                                                                          • GetDC.USER32(?), ref: 0041C174
                                                                          • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                          • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                          • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                          • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                          • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                          • String ID:
                                                                          • API String ID: 3303097818-0
                                                                          • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                          • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                          • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                          • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                          • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                          • 6F0D2980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                            • Part of subcall function 004107F8: 6F0CC400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                          • 6F13CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                          • 6F13C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                          • 6F13CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                          • 6F0D0860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$C400C740D0860D2980
                                                                          • String ID:
                                                                          • API String ID: 2362367995-0
                                                                          • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                          • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                          • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                          • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                          • API String ID: 47109696-2530820420
                                                                          • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                          • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                          • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                          • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                          APIs
                                                                          • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                          • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                          • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                          • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$Delete$Stretch
                                                                          • String ID:
                                                                          • API String ID: 1458357782-0
                                                                          • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                          • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                          • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                          • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 004233AF
                                                                          • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                          • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                          • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                          • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                          • SetCursor.USER32(00000000), ref: 00423413
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                          • String ID:
                                                                          • API String ID: 1770779139-0
                                                                          • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                          • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                          • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                          • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                          • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                          • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                          • API String ID: 667068680-2254406584
                                                                          • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                          • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                          • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                          • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                          APIs
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                          • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc
                                                                          • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                          • API String ID: 190572456-212574377
                                                                          • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                          • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                          • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                          • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                          • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                            • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                            • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                            • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                          • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                          • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                          • API String ID: 142928637-2676053874
                                                                          • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                          • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                          • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                          • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                          • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                          • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                          • API String ID: 2238633743-1050967733
                                                                          • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                          • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                          • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                          • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                          • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                          • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$HandleModule
                                                                          • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                          • API String ID: 667068680-222143506
                                                                          • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                          • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                          • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                          • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                          APIs
                                                                          • GetFocus.USER32 ref: 0041B57E
                                                                          • GetDC.USER32(?), ref: 0041B58A
                                                                          • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                          • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                          • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                          • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                          • String ID:
                                                                          • API String ID: 2502006586-0
                                                                          • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                          • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                          • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                          • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                          APIs
                                                                          • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                          • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                          • API String ID: 1452528299-1580325520
                                                                          • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                          • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                          • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                          • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                          • GetDC.USER32(00000000), ref: 0041BDE9
                                                                          • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDeviceMetricsSystem$Release
                                                                          • String ID:
                                                                          • API String ID: 447804332-0
                                                                          • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                          • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                          • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                          • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                          • LocalFree.KERNEL32(0065EBF0,00000000,00401B68), ref: 00401ACF
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,0065EBF0,00000000,00401B68), ref: 00401AEE
                                                                          • LocalFree.KERNEL32(0065FBF0,?,00000000,00008000,0065EBF0,00000000,00401B68), ref: 00401B2D
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                          • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                          • String ID:
                                                                          • API String ID: 3782394904-0
                                                                          • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                          • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                          • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                          • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                          • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                          • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                          • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$Show
                                                                          • String ID:
                                                                          • API String ID: 3609083571-0
                                                                          • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                          • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                          • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                          • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                          APIs
                                                                            • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                          • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                          • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                          • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                          • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                            • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                          • String ID:
                                                                          • API String ID: 3527656728-0
                                                                          • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                          • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                          • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                          • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                          APIs
                                                                          • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                          • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateFileHandle
                                                                          • String ID: !nI$.tmp$_iu
                                                                          • API String ID: 3498533004-584216493
                                                                          • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                          • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                          • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                          • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                          APIs
                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                          • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                            • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                            • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                          • String ID: .dat$.msg$IMsg$Uninstall
                                                                          • API String ID: 3312786188-1660910688
                                                                          • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                          • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                          • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                          • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                          • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                          • API String ID: 828529508-2866557904
                                                                          • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                          • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                          • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                          • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                          APIs
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                          • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                          • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                          • API String ID: 2573145106-3235461205
                                                                          • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                          • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                          • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                          • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                          • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                          • String ID: ChangeWindowMessageFilter$user32.dll
                                                                          • API String ID: 3478007392-2498399450
                                                                          • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                          • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                          • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                          • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                          APIs
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                          • String ID: AllowSetForegroundWindow$user32.dll
                                                                          • API String ID: 1782028327-3855017861
                                                                          • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                          • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                          • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                          • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                          APIs
                                                                          • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                          • SaveDC.GDI32(?), ref: 00416C83
                                                                          • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                          • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                          • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                          • String ID:
                                                                          • API String ID: 3808407030-0
                                                                          • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                          • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                          • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                          • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                          • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                          • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                          • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                          • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                          • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                          • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                          • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                          • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                          • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                          • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                          APIs
                                                                          • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                          • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                          • GetDC.USER32(00000000), ref: 0041BC12
                                                                          • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                          • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                          • String ID:
                                                                          • API String ID: 1095203571-0
                                                                          • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                          • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                          • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                          • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                          APIs
                                                                            • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                          • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                          Strings
                                                                          • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                          • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                          • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                          • API String ID: 1452528299-4018462623
                                                                          • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                          • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                          • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                          • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                          • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                          • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$AllocString
                                                                          • String ID:
                                                                          • API String ID: 262959230-0
                                                                          • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                          • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                          • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                          • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                          APIs
                                                                          • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                          • RealizePalette.GDI32(00000000), ref: 00414421
                                                                          • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                          • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Palette$RealizeSelect$Release
                                                                          • String ID:
                                                                          • API String ID: 2261976640-0
                                                                          • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                          • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                          • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                          • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                          APIs
                                                                            • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                            • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                            • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                            • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                          • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                          • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                          • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                            • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                            • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                            • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                            • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                          • String ID: vLB
                                                                          • API String ID: 1477829881-1797516613
                                                                          • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                          • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                          • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                          • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                          APIs
                                                                          • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                          • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                          • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Enum$NameOpenResourceUniversal
                                                                          • String ID: Z
                                                                          • API String ID: 3604996873-1505515367
                                                                          • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                          • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                          • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                          • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                          APIs
                                                                          • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                          • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DrawText$EmptyRect
                                                                          • String ID:
                                                                          • API String ID: 182455014-2867612384
                                                                          • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                          • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                          • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                          • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0042EF9E
                                                                            • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                          • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                          • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFontIndirectObjectReleaseSelect
                                                                          • String ID: ...\
                                                                          • API String ID: 3133960002-983595016
                                                                          • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                          • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                          • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                          • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                          • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                          • RegisterClassA.USER32(?), ref: 004164CE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoRegisterUnregister
                                                                          • String ID: @
                                                                          • API String ID: 3749476976-2766056989
                                                                          • Opcode ID: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                          • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                          • Opcode Fuzzy Hash: 32c7bff64fe8078beb5c73cee1a3f36bf3645a98757bc26b4be27a2261280048
                                                                          • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                          • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: File$Attributes$Move
                                                                          • String ID: isRS-%.3u.tmp
                                                                          • API String ID: 3839737484-3657609586
                                                                          • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                          • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                          • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                          • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                          APIs
                                                                          • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                          • ExitProcess.KERNEL32 ref: 00404E0D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ExitMessageProcess
                                                                          • String ID: Error$Runtime error at 00000000
                                                                          • API String ID: 1220098344-2970929446
                                                                          • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                          • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                          • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                          • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                          APIs
                                                                            • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                          • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                          • String ID: LoadTypeLib$RegisterTypeLib
                                                                          • API String ID: 1312246647-2435364021
                                                                          • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                          • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                          • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                          • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                          • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                          Strings
                                                                          • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                          • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                          • API String ID: 3850602802-3720027226
                                                                          • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                          • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                          • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                          • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                          APIs
                                                                            • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                          • GetFocus.USER32 ref: 00478757
                                                                          • GetKeyState.USER32(0000007A), ref: 00478769
                                                                          • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FocusMessageStateTextWaitWindow
                                                                          • String ID: Wnd=$%x
                                                                          • API String ID: 1381870634-2927251529
                                                                          • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                          • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                          • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                          • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                          APIs
                                                                          • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                          • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Time$File$LocalSystem
                                                                          • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                          • API String ID: 1748579591-1013271723
                                                                          • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                          • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                          • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                          • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                          APIs
                                                                          • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                            • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                            • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesDeleteErrorLastMove
                                                                          • String ID: DeleteFile$MoveFile
                                                                          • API String ID: 3024442154-139070271
                                                                          • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                          • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                          • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                          • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                          • API String ID: 47109696-2631785700
                                                                          • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                          • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                          • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                          • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                          • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                          Strings
                                                                          • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                          • CSDVersion, xrefs: 00483BFC
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                          • API String ID: 3677997916-1910633163
                                                                          • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                          • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                          • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                          • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                          • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                          • API String ID: 1646373207-4063490227
                                                                          • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                          • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                          • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                          • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                          • API String ID: 1646373207-260599015
                                                                          • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                          • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                          • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                          • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: NotifyWinEvent$user32.dll
                                                                          • API String ID: 1646373207-597752486
                                                                          • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                          • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                          • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                          • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                          • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                          • API String ID: 1646373207-834958232
                                                                          • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                          • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                          • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                          • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                          APIs
                                                                            • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                            • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                          • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                          • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                          • API String ID: 2238633743-2683653824
                                                                          • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                          • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                          • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                          • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                          APIs
                                                                          • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                          • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileNext
                                                                          • String ID:
                                                                          • API String ID: 2066263336-0
                                                                          • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                          • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                          • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                          • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                          APIs
                                                                            • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                            • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                          • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CountErrorFileLastMoveTick
                                                                          • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                          • API String ID: 2406187244-2685451598
                                                                          • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                          • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                          • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                          • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                          APIs
                                                                          • GetDesktopWindow.USER32 ref: 00413D46
                                                                          • GetDesktopWindow.USER32 ref: 00413DFE
                                                                            • Part of subcall function 00418EC0: 6F13C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                            • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                          • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CursorDesktopWindow$Show
                                                                          • String ID:
                                                                          • API String ID: 2074268717-0
                                                                          • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                          • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                          • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                          • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                          • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                          • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                          • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString$FileMessageModuleName
                                                                          • String ID:
                                                                          • API String ID: 704749118-0
                                                                          • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                          • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                          • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                          • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                            • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                          • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                            • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                          • IsRectEmpty.USER32(?), ref: 0044E953
                                                                          • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                          • String ID:
                                                                          • API String ID: 855768636-0
                                                                          • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                          • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                          • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                          • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                          APIs
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                          • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                          • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: OffsetRect
                                                                          • String ID:
                                                                          • API String ID: 177026234-0
                                                                          • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                          • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                          • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                          • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                          APIs
                                                                          • GetCursorPos.USER32 ref: 00417260
                                                                          • SetCursor.USER32(00000000), ref: 004172A3
                                                                          • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                          • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                          • String ID:
                                                                          • API String ID: 1959210111-0
                                                                          • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                          • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                          • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                          • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                          APIs
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                          • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                          • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                          • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                          • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                          APIs
                                                                          • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                          • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                          • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                          • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                          • String ID:
                                                                          • API String ID: 4025006896-0
                                                                          • Opcode ID: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                          • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                          • Opcode Fuzzy Hash: 2789f09181fedf2aa8f29be774d1bfe7920984f559ea6f8e8637ed1726722249
                                                                          • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                          APIs
                                                                          • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                          • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                          • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                          • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                          • String ID:
                                                                          • API String ID: 4071923889-0
                                                                          • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                          • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                          • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                          • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                          • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                          • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                          • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindLoadLockSizeof
                                                                          • String ID:
                                                                          • API String ID: 3473537107-0
                                                                          • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                          • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                          • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                          • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                          APIs
                                                                          • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                          • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                          • String ID:
                                                                          • API String ID: 730355536-0
                                                                          • Opcode ID: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                                          • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                          • Opcode Fuzzy Hash: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                                          • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                          APIs
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                          Strings
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                          • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                          • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                          • API String ID: 1452528299-3038984924
                                                                          • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                          • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                          • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                          • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                          Strings
                                                                          • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                          • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                          • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast
                                                                          • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                          • API String ID: 1452528299-1392080489
                                                                          • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                          • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                          • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                          • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                          • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                          • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                          • String ID:
                                                                          • API String ID: 4283692357-0
                                                                          • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                          • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                          • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                          • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CountSleepTick
                                                                          • String ID:
                                                                          • API String ID: 2227064392-0
                                                                          • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                          • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                          • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                          • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                          • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                          • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                          • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                          • String ID:
                                                                          • API String ID: 215268677-0
                                                                          • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                          • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                          • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                          • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                          APIs
                                                                          • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                          • IsWindowVisible.USER32(?), ref: 0042425D
                                                                          • IsWindowEnabled.USER32(?), ref: 00424267
                                                                          • SetForegroundWindow.USER32(?), ref: 00424271
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                          • String ID:
                                                                          • API String ID: 2280970139-0
                                                                          • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                          • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                          • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                          • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                          APIs
                                                                          • GlobalHandle.KERNEL32 ref: 0040626F
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                          • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocHandleLockUnlock
                                                                          • String ID:
                                                                          • API String ID: 2167344118-0
                                                                          • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                          • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                          • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                          • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                          APIs
                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                          Strings
                                                                          • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                          • Failed to parse "reg" constant, xrefs: 0047A480
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                          • API String ID: 3535843008-1938159461
                                                                          • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                          • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                          • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                          • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                          • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                          Strings
                                                                          • Will not restart Windows automatically., xrefs: 004836F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ActiveForeground
                                                                          • String ID: Will not restart Windows automatically.
                                                                          • API String ID: 307657957-4169339592
                                                                          • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                          • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                          • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                          • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                          APIs
                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                          • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                          Strings
                                                                          • Extracting temporary file: , xrefs: 004763EC
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: FileTime$Local
                                                                          • String ID: Extracting temporary file:
                                                                          • API String ID: 791338737-4171118009
                                                                          • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                          • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                          • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                          • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                          Strings
                                                                          • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                          • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                          • API String ID: 0-1974262853
                                                                          • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                          • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                          • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                          • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                          APIs
                                                                            • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                          • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                          Strings
                                                                          • %s\%s_is1, xrefs: 00478F10
                                                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpen
                                                                          • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                          • API String ID: 47109696-1598650737
                                                                          • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                          • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                          • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                          • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                          APIs
                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                          • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ExecuteMessageSendShell
                                                                          • String ID: open
                                                                          • API String ID: 812272486-2758837156
                                                                          • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                          • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                          • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                          • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                          APIs
                                                                          • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                          • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                            • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryErrorExecuteLastShellSystem
                                                                          • String ID: <
                                                                          • API String ID: 893404051-4251816714
                                                                          • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                          • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                          • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                          • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                          APIs
                                                                          • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                          • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                            • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                            • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                            • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                            • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,02177D4C,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                          • String ID: )
                                                                          • API String ID: 2227675388-1084416617
                                                                          • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                          • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                          • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                          • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Window
                                                                          • String ID: /INITPROCWND=$%x $@
                                                                          • API String ID: 2353593579-4169826103
                                                                          • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                          • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                          • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                          • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                          APIs
                                                                            • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                            • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                          • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: String$AllocByteCharFreeMultiWide
                                                                          • String ID: NIL Interface Exception$Unknown Method
                                                                          • API String ID: 3952431833-1023667238
                                                                          • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                          • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                          • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                          • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                          APIs
                                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                          • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                            • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateErrorHandleLastProcess
                                                                          • String ID: 0nI
                                                                          • API String ID: 3798668922-794067871
                                                                          • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                          • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                          • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                          • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Value$EnumQuery
                                                                          • String ID: Inno Setup: No Icons
                                                                          • API String ID: 1576479698-2016326496
                                                                          • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                          • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                          • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                          • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                          APIs
                                                                          • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                          • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesErrorFileLast
                                                                          • String ID: T$H
                                                                          • API String ID: 1799206407-488339322
                                                                          • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                          • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                          • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                          • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                          APIs
                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                          • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DeleteErrorFileLast
                                                                          • String ID: T$H
                                                                          • API String ID: 2018770650-488339322
                                                                          • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                          • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                          • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                          • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                          APIs
                                                                          • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                          • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryErrorLastRemove
                                                                          • String ID: T$H
                                                                          • API String ID: 377330604-488339322
                                                                          • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                          • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                          • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                          • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                          APIs
                                                                            • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(74620000,00481A2F), ref: 0047D0E2
                                                                            • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                            • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                          • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                          • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                          Strings
                                                                          • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                          • String ID: Detected restart. Removing temporary directory.
                                                                          • API String ID: 1717587489-3199836293
                                                                          • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                          • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                          • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                          • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                          • GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: CommandHandleLineModule
                                                                          • String ID: P6d
                                                                          • API String ID: 2123368496-1346290582
                                                                          • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                          • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                                          • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                          • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000002.00000002.3208498856.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000002.00000002.3208469256.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208611545.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208669933.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208700310.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                          • Associated: 00000002.00000002.3208723070.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_2_2_400000_steel.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastSleep
                                                                          • String ID:
                                                                          • API String ID: 1458359878-0
                                                                          • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                          • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                          • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                          • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                          Execution Graph

                                                                          Execution Coverage:1.1%
                                                                          Dynamic/Decrypted Code Coverage:71.4%
                                                                          Signature Coverage:10.5%
                                                                          Total number of Nodes:503
                                                                          Total number of Limit Nodes:30
                                                                          execution_graph 60919 402a20 GetVersion 60944 403b64 HeapCreate 60919->60944 60921 402a7f 60922 402a84 60921->60922 60923 402a8c 60921->60923 61022 402b3b 8 API calls 60922->61022 60956 403844 60923->60956 60926 402a94 GetCommandLineA 60970 403712 60926->60970 60931 402aae 61002 40340c 60931->61002 60933 402ab3 60934 402ab8 GetStartupInfoA 60933->60934 61015 4033b4 60934->61015 60936 402aca GetModuleHandleA 61019 401f06 60936->61019 60945 403b84 60944->60945 60946 403bba 60944->60946 61023 403a1c 19 API calls 60945->61023 60946->60921 60948 403b89 60949 403ba0 60948->60949 60950 403b93 60948->60950 60952 403bbd 60949->60952 61025 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 60949->61025 61024 403f3b HeapAlloc 60950->61024 60952->60921 60953 403b9d 60953->60952 60955 403bae HeapDestroy 60953->60955 60955->60946 61026 402b5f 60956->61026 60959 403863 GetStartupInfoA 60962 403974 60959->60962 60963 4038af 60959->60963 60964 40399b GetStdHandle 60962->60964 60965 4039db SetHandleCount 60962->60965 60963->60962 60967 402b5f 12 API calls 60963->60967 60968 403920 60963->60968 60964->60962 60966 4039a9 GetFileType 60964->60966 60965->60926 60966->60962 60967->60963 60968->60962 60969 403942 GetFileType 60968->60969 60969->60968 60971 403760 60970->60971 60972 40372d GetEnvironmentStringsW 60970->60972 60974 403735 60971->60974 60975 403751 60971->60975 60973 403741 GetEnvironmentStrings 60972->60973 60972->60974 60973->60975 60976 402aa4 60973->60976 60977 403779 WideCharToMultiByte 60974->60977 60978 40376d GetEnvironmentStringsW 60974->60978 60975->60976 60979 4037f3 GetEnvironmentStrings 60975->60979 60980 4037ff 60975->60980 60993 4034c5 60976->60993 60982 4037ad 60977->60982 60983 4037df FreeEnvironmentStringsW 60977->60983 60978->60976 60978->60977 60979->60976 60979->60980 60984 402b5f 12 API calls 60980->60984 60985 402b5f 12 API calls 60982->60985 60983->60976 60991 40381a 60984->60991 60986 4037b3 60985->60986 60986->60983 60987 4037bc WideCharToMultiByte 60986->60987 60989 4037d6 60987->60989 60990 4037cd 60987->60990 60988 403830 FreeEnvironmentStringsA 60988->60976 60989->60983 61035 402c11 60990->61035 60991->60988 60994 4034d7 60993->60994 60995 4034dc GetModuleFileNameA 60993->60995 61048 405d24 19 API calls 60994->61048 60997 4034ff 60995->60997 60998 402b5f 12 API calls 60997->60998 60999 403520 60998->60999 61000 403530 60999->61000 61049 402b16 7 API calls 60999->61049 61000->60931 61003 403419 61002->61003 61006 40341e 61002->61006 61050 405d24 19 API calls 61003->61050 61005 402b5f 12 API calls 61007 40344b 61005->61007 61006->61005 61014 40345f 61007->61014 61051 402b16 7 API calls 61007->61051 61009 4034a2 61010 402c11 7 API calls 61009->61010 61011 4034ae 61010->61011 61011->60933 61012 402b5f 12 API calls 61012->61014 61014->61009 61014->61012 61052 402b16 7 API calls 61014->61052 61016 4033bd 61015->61016 61018 4033c2 61015->61018 61053 405d24 19 API calls 61016->61053 61018->60936 61020 4020ab GetModuleHandleA 61019->61020 61023->60948 61024->60953 61025->60953 61030 402b71 61026->61030 61029 402b16 7 API calls 61029->60959 61031 402b6e 61030->61031 61033 402b78 61030->61033 61031->60959 61031->61029 61033->61031 61034 402b9d 12 API calls 61033->61034 61034->61033 61036 402c1d 61035->61036 61044 402c39 61035->61044 61037 402c27 61036->61037 61038 402c3d 61036->61038 61040 402c69 HeapFree 61037->61040 61041 402c33 61037->61041 61039 402c68 61038->61039 61043 402c57 61038->61043 61039->61040 61040->61044 61046 403fae VirtualFree VirtualFree HeapFree 61041->61046 61047 404a3f VirtualFree HeapFree VirtualFree 61043->61047 61044->60989 61046->61044 61047->61044 61048->60995 61049->61000 61050->61006 61051->61014 61052->61014 61053->61018 60749 401842 VirtualAlloc 60750 40de72 60749->60750 60751 401742 60752 40d57b RegQueryValueExA 60751->60752 61054 85e8a7 CreateFileA 61055 85e9a3 61054->61055 61059 85e8d8 61054->61059 61056 85e8f0 DeviceIoControl 61056->61059 61057 85e999 CloseHandle 61057->61055 61058 85e965 GetLastError 61058->61057 61058->61059 61059->61056 61059->61057 61059->61058 61061 8627c5 60 API calls 4 library calls 61059->61061 61061->61059 60753 401c85 60754 40d823 RegCreateKeyExA 60753->60754 60756 88c80e 60757 88c812 60756->60757 60760 85e9ab LoadLibraryA 60757->60760 60758 88c817 60758->60758 60761 85e9d4 GetProcAddress 60760->60761 60762 85ea8e 60760->60762 60763 85ea87 FreeLibrary 60761->60763 60766 85e9e8 60761->60766 60762->60758 60763->60762 60764 85e9fa GetAdaptersInfo 60764->60766 60765 85ea82 60765->60763 60766->60764 60766->60765 60768 8627c5 60 API calls 4 library calls 60766->60768 60768->60766 60769 402188 LoadLibraryExA 60770 401f20 60769->60770 60770->60769 60771 40dab3 60770->60771 60772 85104d 60777 8623b4 60772->60777 60783 8622b8 60777->60783 60779 851057 60780 851aa9 InterlockedIncrement 60779->60780 60781 851ac5 WSAStartup InterlockedExchange 60780->60781 60782 85105c 60780->60782 60781->60782 60784 8622c4 _raise 60783->60784 60791 867150 60784->60791 60790 8622eb _raise 60790->60779 60808 8674ab 60791->60808 60793 8622cd 60794 8622fc RtlDecodePointer RtlDecodePointer 60793->60794 60795 8622d9 60794->60795 60796 862329 60794->60796 60805 8622f6 60795->60805 60796->60795 60817 867d1d 60 API calls __cftoe2_l 60796->60817 60798 86238c RtlEncodePointer RtlEncodePointer 60798->60795 60799 862360 60799->60795 60804 86237a RtlEncodePointer 60799->60804 60819 8676b9 62 API calls 2 library calls 60799->60819 60800 86233b 60800->60798 60800->60799 60818 8676b9 62 API calls 2 library calls 60800->60818 60803 862374 60803->60795 60803->60804 60804->60798 60820 867159 60805->60820 60809 8674cf RtlEnterCriticalSection 60808->60809 60810 8674bc 60808->60810 60809->60793 60815 867533 59 API calls 10 library calls 60810->60815 60812 8674c2 60812->60809 60816 866ffd 59 API calls 3 library calls 60812->60816 60815->60812 60817->60800 60818->60799 60819->60803 60823 867615 RtlLeaveCriticalSection 60820->60823 60822 8622fb 60822->60790 60823->60822 61062 401769 61063 40176e 61062->61063 61064 40dd78 CopyFileA 61063->61064 61065 40dee9 61066 40de86 61065->61066 61067 40df4c StartServiceCtrlDispatcherA 61065->61067 61066->61067 61068 40e028 lstrcmpiW 61067->61068 61069 40232e Sleep 61070 40209b 61069->61070 61071 401f74 61070->61071 61072 40d55c GetStartupInfoA 61070->61072 61073 40d720 61071->61073 61074 401301 7 API calls 61071->61074 61072->61071 61075 40dc0d 61074->61075 60824 4016cf 60828 401897 60824->60828 60829 401d22 60828->60829 60830 40d55c GetStartupInfoA 60829->60830 60832 401f74 60829->60832 60830->60832 60831 40d720 60832->60831 60835 401301 FindResourceA 60832->60835 60834 40dc0d 60836 401367 SizeofResource 60835->60836 60841 401360 60835->60841 60837 401386 LoadResource LockResource GlobalAlloc 60836->60837 60836->60841 60838 4013cc 60837->60838 60839 40141f GetTickCount 60838->60839 60842 40142a GlobalAlloc 60839->60842 60841->60834 60842->60841 61076 8563f5 61077 85644a _memset 61076->61077 61080 85649e RtlEnterCriticalSection RtlLeaveCriticalSection 61077->61080 61108 8560f0 61077->61108 61078 85610a RtlEnterCriticalSection RtlLeaveCriticalSection 61078->61108 61079 856104 Sleep 61079->61078 61164 86134c 61080->61164 61082 8564c5 61083 856509 61082->61083 61085 86134c 66 API calls 61082->61085 61084 86134c 66 API calls 61083->61084 61083->61108 61086 856527 61084->61086 61087 8564d6 61085->61087 61088 8567d2 61086->61088 61090 856539 61086->61090 61087->61083 61091 86134c 66 API calls 61087->61091 61089 86134c 66 API calls 61088->61089 61092 8567dd 61089->61092 61093 861fbc _malloc 59 API calls 61090->61093 61094 8564e7 61091->61094 61095 856826 61092->61095 61098 8567e7 _memset 61092->61098 61096 856540 RtlEnterCriticalSection RtlLeaveCriticalSection 61093->61096 61094->61083 61097 86134c 66 API calls 61094->61097 61099 86134c 66 API calls 61095->61099 61117 856578 _memset 61096->61117 61101 8564f8 61097->61101 61104 8567f7 RtlEnterCriticalSection RtlLeaveCriticalSection 61098->61104 61100 856831 61099->61100 61102 856837 61100->61102 61103 85684a 61100->61103 61101->61083 61106 86134c 66 API calls 61101->61106 61174 855c11 61102->61174 61107 86134c 66 API calls 61103->61107 61104->61108 61106->61083 61109 856855 61107->61109 61108->61078 61108->61079 61109->61108 61188 861428 84 API calls 3 library calls 61109->61188 61111 8568a0 61189 851ba7 RtlEnterCriticalSection RtlLeaveCriticalSection RtlEnterCriticalSection RtlLeaveCriticalSection __EH_prolog 61111->61189 61113 856924 61114 85695c RtlEnterCriticalSection 61113->61114 61115 85697f 61114->61115 61116 856989 RtlLeaveCriticalSection 61114->61116 61115->61116 61190 853c67 72 API calls Mailbox 61116->61190 61120 86134c 66 API calls 61117->61120 61123 8565f8 61117->61123 61118 861fbc _malloc 59 API calls 61121 85662f _memset 61118->61121 61120->61123 61128 856694 61121->61128 61177 8625f6 65 API calls 7 library calls 61121->61177 61122 8569b5 61191 853d7e 64 API calls 61122->61191 61123->61118 61125 8569c7 61192 85733f 89 API calls 61125->61192 61127 8569e9 61129 856b58 61127->61129 61193 859729 73 API calls Mailbox 61127->61193 61180 861f84 59 API calls 2 library calls 61128->61180 61199 858007 88 API calls __EH_prolog 61129->61199 61134 85669a 61134->61108 61181 8627c5 60 API calls 4 library calls 61134->61181 61135 856b20 61197 8573ee 71 API calls Mailbox 61135->61197 61138 856a2f 61138->61135 61194 859729 73 API calls Mailbox 61138->61194 61139 8566aa 61144 8566c5 61139->61144 61182 85873b 6 API calls __EH_prolog 61139->61182 61141 856b38 61198 8533b2 86 API calls 61141->61198 61183 859853 60 API calls 2 library calls 61144->61183 61145 856660 61145->61128 61178 861860 59 API calls _vscan_fn 61145->61178 61179 8625f6 65 API calls 7 library calls 61145->61179 61149 8566db 61184 855119 103 API calls 3 library calls 61149->61184 61150 856a8b 61150->61135 61195 859729 73 API calls Mailbox 61150->61195 61153 856adc 61153->61135 61196 85c11b 73 API calls Mailbox 61153->61196 61155 856717 61185 859c13 88 API calls 3 library calls 61155->61185 61157 85675c 61158 856774 Sleep 61157->61158 61159 85676f shared_ptr 61157->61159 61186 860900 GetProcessHeap HeapFree 61158->61186 61159->61158 61161 856790 61162 8567aa shared_ptr 61161->61162 61187 854100 GetProcessHeap HeapFree 61161->61187 61162->61108 61165 86137b 61164->61165 61166 861358 61164->61166 61202 861393 66 API calls 4 library calls 61165->61202 61166->61165 61167 86135e 61166->61167 61200 864acb 59 API calls __getptd_noexit 61167->61200 61170 86138e 61170->61082 61171 861363 61201 863b65 9 API calls __cftoe2_l 61171->61201 61173 86136e 61173->61082 61175 861fbc _malloc 59 API calls 61174->61175 61176 855c24 61175->61176 61177->61145 61178->61145 61179->61145 61180->61134 61181->61139 61182->61144 61183->61149 61184->61155 61185->61157 61186->61161 61187->61162 61188->61111 61189->61113 61190->61122 61191->61125 61192->61127 61193->61138 61194->61150 61195->61153 61196->61135 61197->61141 61198->61129 61199->61108 61200->61171 61201->61173 61202->61170 60843 401b93 RegSetValueExA RegCloseKey 60844 40d143 60843->60844 60845 401e96 CreateDirectoryA 60846 40d036 60845->60846 60847 40d9d8 RegOpenKeyExA 61203 401878 RegCloseKey 61204 40dcf0 61203->61204 61204->61204 60848 8c4616 60849 8d7646 InternetOpenA 60848->60849 60851 401cdb CopyFileA 60852 855e5e RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 60853 855ecb GetTickCount 60852->60853 60890 8542c7 60852->60890 60891 8559fa 60853->60891 60856 855ee8 GetVersionExA 60857 855f29 _memset 60856->60857 60858 861fbc _malloc 59 API calls 60857->60858 60859 855f36 60858->60859 60860 861fbc _malloc 59 API calls 60859->60860 60861 855f46 60860->60861 60862 861fbc _malloc 59 API calls 60861->60862 60863 855f51 60862->60863 60864 861fbc _malloc 59 API calls 60863->60864 60865 855f5c 60864->60865 60866 861fbc _malloc 59 API calls 60865->60866 60867 855f67 60866->60867 60868 861fbc _malloc 59 API calls 60867->60868 60869 855f72 60868->60869 60870 861fbc _malloc 59 API calls 60869->60870 60871 855f7d 60870->60871 60872 861fbc _malloc 59 API calls 60871->60872 60873 855f89 6 API calls 60872->60873 60874 855fd6 _memset 60873->60874 60875 855fef RtlEnterCriticalSection RtlLeaveCriticalSection 60874->60875 60876 861fbc _malloc 59 API calls 60875->60876 60877 85602b 60876->60877 60878 861fbc _malloc 59 API calls 60877->60878 60879 856039 60878->60879 60880 861fbc _malloc 59 API calls 60879->60880 60881 856040 60880->60881 60882 861fbc _malloc 59 API calls 60881->60882 60883 856061 QueryPerformanceCounter Sleep 60882->60883 60884 861fbc _malloc 59 API calls 60883->60884 60885 856087 60884->60885 60886 861fbc _malloc 59 API calls 60885->60886 60889 856097 _memset 60886->60889 60887 85610a RtlEnterCriticalSection RtlLeaveCriticalSection 60887->60889 60888 856104 Sleep 60888->60887 60889->60887 60889->60888 60894 861fbc 60891->60894 60895 862037 60894->60895 60900 861fc8 60894->60900 60917 866e73 RtlDecodePointer 60895->60917 60897 86203d 60918 864acb 59 API calls __getptd_noexit 60897->60918 60901 861ffb RtlAllocateHeap 60900->60901 60903 861fd3 60900->60903 60905 862023 60900->60905 60909 862021 60900->60909 60914 866e73 RtlDecodePointer 60900->60914 60901->60900 60902 855a0d 60901->60902 60903->60900 60911 867291 59 API calls 2 library calls 60903->60911 60912 8672ee 59 API calls 8 library calls 60903->60912 60913 866eda GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 60903->60913 60915 864acb 59 API calls __getptd_noexit 60905->60915 60916 864acb 59 API calls __getptd_noexit 60909->60916 60911->60903 60912->60903 60914->60900 60915->60909 60916->60902 60917->60897 60918->60902 61205 40207b 61209 862988 61205->61209 61210 862996 61209->61210 61211 862991 61209->61211 61215 8629ab 61210->61215 61223 86918c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 61211->61223 61214 402080 Sleep 61216 8629b7 _raise 61215->61216 61220 862a05 ___DllMainCRTStartup 61216->61220 61222 862a62 _raise 61216->61222 61224 862816 61216->61224 61218 862a3f 61219 862816 __CRT_INIT@12 136 API calls 61218->61219 61218->61222 61219->61222 61220->61218 61221 862816 __CRT_INIT@12 136 API calls 61220->61221 61220->61222 61221->61218 61222->61214 61223->61210 61225 862822 _raise 61224->61225 61226 8628a4 61225->61226 61227 86282a 61225->61227 61229 86290d 61226->61229 61230 8628a8 61226->61230 61270 866e56 GetProcessHeap 61227->61270 61232 862912 61229->61232 61233 862970 61229->61233 61239 862833 _raise __CRT_INIT@12 61230->61239 61242 8628c9 61230->61242 61359 867019 59 API calls _doexit 61230->61359 61231 86282f 61231->61239 61271 864a04 61231->61271 61363 867d8b TlsGetValue 61232->61363 61233->61239 61373 864894 59 API calls 2 library calls 61233->61373 61237 86291d 61237->61239 61364 86762a 61237->61364 61239->61220 61240 86283f __RTC_Initialize 61240->61239 61247 86284f GetCommandLineA 61240->61247 61253 8628df __CRT_INIT@12 61242->61253 61360 868e2a 60 API calls _free 61242->61360 61246 8628da 61361 864a7a 62 API calls 2 library calls 61246->61361 61292 869228 GetEnvironmentStringsW 61247->61292 61252 862946 61255 862964 61252->61255 61256 86294c 61252->61256 61362 8628f8 62 API calls __mtterm 61253->61362 61372 861f84 59 API calls 2 library calls 61255->61372 61371 864951 59 API calls 4 library calls 61256->61371 61257 862869 61261 86286d 61257->61261 61324 868e7c 61257->61324 61260 862954 GetCurrentThreadId 61260->61239 61357 864a7a 62 API calls 2 library calls 61261->61357 61265 86288d 61265->61239 61358 868e2a 60 API calls _free 61265->61358 61270->61231 61374 8670c0 36 API calls 2 library calls 61271->61374 61273 864a09 61375 8675dc InitializeCriticalSectionAndSpinCount __mtinitlocks 61273->61375 61275 864a0e 61276 864a12 61275->61276 61377 867d4e TlsAlloc 61275->61377 61376 864a7a 62 API calls 2 library calls 61276->61376 61279 864a24 61279->61276 61281 864a2f 61279->61281 61280 864a17 61280->61240 61282 86762a __calloc_crt 59 API calls 61281->61282 61283 864a3c 61282->61283 61284 864a71 61283->61284 61378 867daa TlsSetValue 61283->61378 61380 864a7a 62 API calls 2 library calls 61284->61380 61287 864a50 61287->61284 61289 864a56 61287->61289 61288 864a76 61288->61240 61379 864951 59 API calls 4 library calls 61289->61379 61291 864a5e GetCurrentThreadId 61291->61240 61293 86285f 61292->61293 61294 86923b WideCharToMultiByte 61292->61294 61305 868b76 61293->61305 61296 8692a5 FreeEnvironmentStringsW 61294->61296 61297 86926e 61294->61297 61296->61293 61381 867672 59 API calls 2 library calls 61297->61381 61299 869274 61299->61296 61300 86927b WideCharToMultiByte 61299->61300 61301 869291 61300->61301 61302 86929a FreeEnvironmentStringsW 61300->61302 61382 861f84 59 API calls 2 library calls 61301->61382 61302->61293 61304 869297 61304->61302 61306 868b82 _raise 61305->61306 61307 8674ab __lock 59 API calls 61306->61307 61308 868b89 61307->61308 61309 86762a __calloc_crt 59 API calls 61308->61309 61310 868b9a 61309->61310 61311 868c05 GetStartupInfoW 61310->61311 61312 868ba5 _raise @_EH4_CallFilterFunc@8 61310->61312 61318 868c1a 61311->61318 61321 868d49 61311->61321 61312->61257 61313 868e11 61385 868e21 RtlLeaveCriticalSection _doexit 61313->61385 61315 86762a __calloc_crt 59 API calls 61315->61318 61316 868d96 GetStdHandle 61316->61321 61317 868da9 GetFileType 61317->61321 61318->61315 61320 868c68 61318->61320 61318->61321 61319 868c9c GetFileType 61319->61320 61320->61319 61320->61321 61383 867dcc InitializeCriticalSectionAndSpinCount 61320->61383 61321->61313 61321->61316 61321->61317 61384 867dcc InitializeCriticalSectionAndSpinCount 61321->61384 61325 868e8f GetModuleFileNameA 61324->61325 61326 868e8a 61324->61326 61328 868ebc 61325->61328 61392 863efa 71 API calls __setmbcp 61326->61392 61386 868f2f 61328->61386 61330 862879 61330->61265 61335 8690ab 61330->61335 61333 868ef5 61333->61330 61334 868f2f _parse_cmdline 59 API calls 61333->61334 61334->61330 61336 8690b4 61335->61336 61340 8690b9 _strlen 61335->61340 61396 863efa 71 API calls __setmbcp 61336->61396 61338 862882 61338->61265 61351 867028 61338->61351 61339 86762a __calloc_crt 59 API calls 61341 8690ef _strlen 61339->61341 61340->61338 61340->61339 61341->61338 61343 869141 61341->61343 61344 86762a __calloc_crt 59 API calls 61341->61344 61345 869168 61341->61345 61348 86917f 61341->61348 61397 86592c 59 API calls __cftoe2_l 61341->61397 61398 861f84 59 API calls 2 library calls 61343->61398 61344->61341 61399 861f84 59 API calls 2 library calls 61345->61399 61400 863b75 8 API calls 2 library calls 61348->61400 61350 86918b 61353 867034 __IsNonwritableInCurrentImage 61351->61353 61401 86ab8f 61353->61401 61354 867052 __initterm_e 61355 8623b4 __cinit 68 API calls 61354->61355 61356 867071 __cinit __IsNonwritableInCurrentImage 61354->61356 61355->61356 61356->61265 61357->61239 61358->61261 61359->61242 61360->61246 61361->61253 61362->61239 61363->61237 61366 867631 61364->61366 61367 86292e 61366->61367 61369 86764f 61366->61369 61404 86e9b8 61366->61404 61367->61239 61370 867daa TlsSetValue 61367->61370 61369->61366 61369->61367 61412 8680c5 Sleep 61369->61412 61370->61252 61371->61260 61372->61239 61373->61239 61374->61273 61375->61275 61376->61280 61377->61279 61378->61287 61379->61291 61380->61288 61381->61299 61382->61304 61383->61320 61384->61321 61385->61312 61387 868f51 61386->61387 61391 868fb5 61387->61391 61394 86ef96 59 API calls x_ismbbtype_l 61387->61394 61389 868ed2 61389->61330 61393 867672 59 API calls 2 library calls 61389->61393 61391->61389 61395 86ef96 59 API calls x_ismbbtype_l 61391->61395 61392->61325 61393->61333 61394->61387 61395->61391 61396->61340 61397->61341 61398->61338 61399->61338 61400->61350 61402 86ab92 RtlEncodePointer 61401->61402 61402->61402 61403 86abac 61402->61403 61403->61354 61405 86e9c3 61404->61405 61406 86e9de 61404->61406 61405->61406 61407 86e9cf 61405->61407 61409 86e9ee RtlAllocateHeap 61406->61409 61410 86e9d4 61406->61410 61414 866e73 RtlDecodePointer 61406->61414 61413 864acb 59 API calls __getptd_noexit 61407->61413 61409->61406 61409->61410 61410->61366 61412->61369 61413->61410 61414->61406 61415 88ca75 CloseHandle 61416 894ca4 61415->61416

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • RtlInitializeCriticalSection.NTDLL(00884FD0), ref: 00855E92
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00855EA9
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00855EB2
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00855EC1
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00855EC4
                                                                          • GetTickCount.KERNEL32 ref: 00855ED8
                                                                            • Part of subcall function 008559FA: _malloc.LIBCMT ref: 00855A08
                                                                          • GetVersionExA.KERNEL32(00884E20), ref: 00855F05
                                                                          • _memset.LIBCMT ref: 00855F24
                                                                          • _malloc.LIBCMT ref: 00855F31
                                                                            • Part of subcall function 00861FBC: __FF_MSGBANNER.LIBCMT ref: 00861FD3
                                                                            • Part of subcall function 00861FBC: __NMSG_WRITE.LIBCMT ref: 00861FDA
                                                                            • Part of subcall function 00861FBC: RtlAllocateHeap.NTDLL(00950000,00000000,00000001), ref: 00861FFF
                                                                          • _malloc.LIBCMT ref: 00855F41
                                                                          • _malloc.LIBCMT ref: 00855F4C
                                                                          • _malloc.LIBCMT ref: 00855F57
                                                                          • _malloc.LIBCMT ref: 00855F62
                                                                          • _malloc.LIBCMT ref: 00855F6D
                                                                          • _malloc.LIBCMT ref: 00855F78
                                                                          • _malloc.LIBCMT ref: 00855F84
                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00855F9B
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00855FA4
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00855FB0
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00855FB3
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00855FBE
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00855FC1
                                                                          • _memset.LIBCMT ref: 00855FD1
                                                                          • _memset.LIBCMT ref: 00855FDD
                                                                          • _memset.LIBCMT ref: 00855FEA
                                                                          • RtlEnterCriticalSection.NTDLL(00884FD0), ref: 00855FF8
                                                                          • RtlLeaveCriticalSection.NTDLL(00884FD0), ref: 00856005
                                                                          • _malloc.LIBCMT ref: 00856026
                                                                          • _malloc.LIBCMT ref: 00856034
                                                                          • _malloc.LIBCMT ref: 0085603B
                                                                          • _malloc.LIBCMT ref: 0085605C
                                                                          • QueryPerformanceCounter.KERNEL32(00000200), ref: 00856068
                                                                          • Sleep.KERNELBASE(00000000), ref: 00856076
                                                                          • _malloc.LIBCMT ref: 00856082
                                                                          • _malloc.LIBCMT ref: 00856092
                                                                          • _memset.LIBCMT ref: 008560A7
                                                                          • _memset.LIBCMT ref: 008560B7
                                                                          • Sleep.KERNELBASE(0000EA60), ref: 00856104
                                                                          • RtlEnterCriticalSection.NTDLL(00884FD0), ref: 0085610F
                                                                          • RtlLeaveCriticalSection.NTDLL(00884FD0), ref: 00856120
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Offset: 00851000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_851000_mediacodecpack3.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _malloc$Heap$_memset$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                          • API String ID: 1856495841-1038016512
                                                                          • Opcode ID: 7db0d653eb04fdccd57e14eb2b112f04d35dff0dbdc8557674a5581b44795941
                                                                          • Instruction ID: 78c80a0d7d6aa9dcf5d9230557bc833bbd8671cf7f70e71f4054d6ebfd84aa58
                                                                          • Opcode Fuzzy Hash: 7db0d653eb04fdccd57e14eb2b112f04d35dff0dbdc8557674a5581b44795941
                                                                          • Instruction Fuzzy Hash: 7E71A0B19087409FD710AB78AC49B5B7BE4FF45310F15092DF688D7392EBB889448B96

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 347 85e9ab-85e9ce LoadLibraryA 348 85e9d4-85e9e2 GetProcAddress 347->348 349 85ea8e-85ea95 347->349 350 85ea87-85ea88 FreeLibrary 348->350 351 85e9e8-85e9f8 348->351 350->349 352 85e9fa-85ea06 GetAdaptersInfo 351->352 353 85ea3e-85ea46 352->353 354 85ea08 352->354 356 85ea4f-85ea54 353->356 357 85ea48-85ea4e call 8626df 353->357 355 85ea0a-85ea11 354->355 358 85ea13-85ea17 355->358 359 85ea1b-85ea23 355->359 361 85ea56-85ea59 356->361 362 85ea82-85ea86 356->362 357->356 358->355 364 85ea19 358->364 365 85ea26-85ea2b 359->365 361->362 363 85ea5b-85ea60 361->363 362->350 367 85ea62-85ea6a 363->367 368 85ea6d-85ea78 call 8627c5 363->368 364->353 365->365 369 85ea2d-85ea3a call 85e6fa 365->369 367->368 368->362 374 85ea7a-85ea7d 368->374 369->353 374->352
                                                                          APIs
                                                                          • LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 0085E9C1
                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 0085E9DA
                                                                          • GetAdaptersInfo.IPHLPAPI(?,?), ref: 0085E9FF
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0085EA88
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Offset: 00851000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_851000_mediacodecpack3.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                          • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                          • API String ID: 514930453-3114217049
                                                                          • Opcode ID: 75dfd537ff29a771f21078f6de71574b423e267e1628c3fe5dbb358a40cc312a
                                                                          • Instruction ID: cbb38370d6ad7f84cda092a3ddae78800d4740a0a5b9cff9e8b0e4b65611da34
                                                                          • Opcode Fuzzy Hash: 75dfd537ff29a771f21078f6de71574b423e267e1628c3fe5dbb358a40cc312a
                                                                          • Instruction Fuzzy Hash: 1821E675E046299BCB19DFB8DC446EEBBB8FF24311F1440A9E908E7201E7708F4987A0

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 375 85e8a7-85e8d2 CreateFileA 376 85e9a3-85e9aa 375->376 377 85e8d8-85e8ed 375->377 378 85e8f0-85e912 DeviceIoControl 377->378 379 85e914-85e91c 378->379 380 85e94b-85e953 378->380 381 85e925-85e92a 379->381 382 85e91e-85e923 379->382 383 85e955-85e95b call 8626df 380->383 384 85e95c-85e95e 380->384 381->380 385 85e92c-85e934 381->385 382->380 383->384 387 85e960-85e963 384->387 388 85e999-85e9a2 CloseHandle 384->388 389 85e937-85e93c 385->389 391 85e965-85e96e GetLastError 387->391 392 85e97f-85e98c call 8627c5 387->392 388->376 389->389 394 85e93e-85e94a call 85e6fa 389->394 391->388 395 85e970-85e973 391->395 392->388 399 85e98e-85e994 392->399 394->380 395->392 396 85e975-85e97c 395->396 396->392 399->378
                                                                          APIs
                                                                          • CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 0085E8C6
                                                                          • DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 0085E904
                                                                          • GetLastError.KERNEL32 ref: 0085E965
                                                                          • CloseHandle.KERNELBASE(?), ref: 0085E99C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Offset: 00851000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_851000_mediacodecpack3.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                          • String ID: \\.\PhysicalDrive0
                                                                          • API String ID: 4026078076-1180397377
                                                                          • Opcode ID: 02abb18c429259ec43470c75725bace90a360dc49ccec7b147232bd9cf980116
                                                                          • Instruction ID: 985f637d53406cdb1071f2bd1f2c2110c5c29e108eb70b91fb0da1b734d43d16
                                                                          • Opcode Fuzzy Hash: 02abb18c429259ec43470c75725bace90a360dc49ccec7b147232bd9cf980116
                                                                          • Instruction Fuzzy Hash: 1C319E75D00619ABCB28CF99DC84AAEBFB9FF05711F20416AE905E3280D7705F49CB90

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 401 401951-40d878 GetLocalTime 405 40de86-40df52 StartServiceCtrlDispatcherA 401->405 406 40d87e-40d88c 401->406 407 40e028-40e02e lstrcmpiW 405->407 406->407
                                                                          APIs
                                                                          • GetLocalTime.KERNEL32(0040BE00), ref: 00401B4D
                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                          • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CtrlDispatcherLocalServiceStartTimelstrcmpi
                                                                          • String ID: /chk
                                                                          • API String ID: 4108452588-3837807730
                                                                          • Opcode ID: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                          • Instruction ID: c0b6fb2c802bab406561895994aa9e9237411ab6f3462ae67dbec63e80f3bd48
                                                                          • Opcode Fuzzy Hash: b98aab331838fe6632ee09d3ee6537478d9e654e437189eacf188a04f6302d0c
                                                                          • Instruction Fuzzy Hash: 4121D070904658CBDB048B609E697E63BF4AB06340F0081BAC886F72E2D738890ADB19

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • RtlInitializeCriticalSection.NTDLL(00884FD0), ref: 00855E92
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 00855EA9
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00855EB2
                                                                          • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 00855EC1
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00855EC4
                                                                          • GetTickCount.KERNEL32 ref: 00855ED8
                                                                          • GetVersionExA.KERNEL32(00884E20), ref: 00855F05
                                                                          • _memset.LIBCMT ref: 00855F24
                                                                          • _malloc.LIBCMT ref: 00855F31
                                                                          • _malloc.LIBCMT ref: 00855F41
                                                                          • _malloc.LIBCMT ref: 00855F4C
                                                                          • _malloc.LIBCMT ref: 00855F57
                                                                          • _malloc.LIBCMT ref: 00855F62
                                                                          • _malloc.LIBCMT ref: 00855F6D
                                                                          • _malloc.LIBCMT ref: 00855F78
                                                                          • _malloc.LIBCMT ref: 00855F84
                                                                          • GetProcessHeap.KERNEL32(00000000,00000004), ref: 00855F9B
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00855FA4
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00855FB0
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00855FB3
                                                                          • GetProcessHeap.KERNEL32(00000000,00000400), ref: 00855FBE
                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00855FC1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Offset: 00851000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_851000_mediacodecpack3.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: _malloc$Heap$AllocateProcess$AddressHandleModuleProc$CountCriticalInitializeSectionTickVersion_memset
                                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                          • API String ID: 3007647348-1038016512
                                                                          • Opcode ID: f81e5b66613126fcfef91ccad7b136c41c39f223c608824c0121e2bd9ae9e317
                                                                          • Instruction ID: e6882fb5bab6831a828f5c0c256d23b047dcca8d2b63cd08cbdc92b658203810
                                                                          • Opcode Fuzzy Hash: f81e5b66613126fcfef91ccad7b136c41c39f223c608824c0121e2bd9ae9e317
                                                                          • Instruction Fuzzy Hash: 9AA114729087509FD710AF78AC59B5BBBE4FF46310F19092EF988D7252DBB489048B92

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 135 8563f5-856448 136 856464-85646e 135->136 137 85644a-856450 135->137 138 856474-856498 call 863760 call 85439c 136->138 139 8560f0-8560f2 136->139 140 856456-856463 call 85534d 137->140 141 856452-856454 137->141 138->139 155 85649e-8564c9 RtlEnterCriticalSection RtlLeaveCriticalSection call 86134c 138->155 143 8560f4-8560f9 139->143 144 8560fb-8560fd 139->144 140->136 141->136 149 856104 Sleep 143->149 147 8560ff 144->147 148 85610a-856139 RtlEnterCriticalSection RtlLeaveCriticalSection 144->148 147->149 152 85613d-856161 148->152 149->148 156 8560f5-8560f9 152->156 157 856163-856174 152->157 160 856513-85652b call 86134c 155->160 161 8564cb-8564da call 86134c 155->161 156->149 157->152 166 856531-856533 160->166 167 8567d2-8567e1 call 86134c 160->167 161->160 168 8564dc-8564eb call 86134c 161->168 166->167 170 856539-8565e4 call 861fbc RtlEnterCriticalSection RtlLeaveCriticalSection call 863760 * 5 call 85439c * 2 166->170 175 856826-856835 call 86134c 167->175 176 8567e3-8567e5 167->176 168->160 178 8564ed-8564fc call 86134c 168->178 222 8565e6-8565e8 170->222 223 856621 170->223 187 856837 call 855c11 175->187 188 85684a-856859 call 86134c 175->188 176->175 180 8567e7-856821 call 863760 RtlEnterCriticalSection RtlLeaveCriticalSection 176->180 178->160 189 8564fe-85650d call 86134c 178->189 180->139 197 85683c-856845 call 855d1f 187->197 188->139 202 85685f-856861 188->202 189->139 189->160 197->139 202->139 205 856867-856880 call 85439c 202->205 205->139 211 856886-856955 call 861428 call 851ba7 205->211 220 856957 call 85143f 211->220 221 85695c-85697d RtlEnterCriticalSection 211->221 220->221 226 85697f-856986 221->226 227 856989-8569f0 RtlLeaveCriticalSection call 853c67 call 853d7e call 85733f 221->227 222->223 228 8565ea-8565fc call 86134c 222->228 224 856625-856653 call 861fbc call 863760 call 85439c 223->224 246 856655-856664 call 8625f6 224->246 247 856694-85669d call 861f84 224->247 226->227 248 8569f6-856a38 call 859729 227->248 249 856b58-856b6c call 858007 227->249 228->223 237 8565fe-85661f call 85439c 228->237 237->224 246->247 262 856666 246->262 260 8567c0-8567cd 247->260 261 8566a3-8566bb call 8627c5 247->261 258 856b22-856b53 call 8573ee call 8533b2 248->258 259 856a3e-856a45 248->259 249->139 258->249 263 856a48-856a4d 259->263 260->139 273 8566c7 261->273 274 8566bd-8566c5 call 85873b 261->274 265 85666b-85667d call 861860 262->265 263->263 267 856a4f-856a94 call 859729 263->267 276 856682-856692 call 8625f6 265->276 277 85667f 265->277 267->258 282 856a9a-856aa0 267->282 280 8566c9-85676d call 859853 call 853863 call 855119 call 853863 call 859af9 call 859c13 273->280 274->280 276->247 276->265 277->276 304 856774-85679f Sleep call 860900 280->304 305 85676f call 85380b 280->305 287 856aa3-856aa8 282->287 287->287 289 856aaa-856ae5 call 859729 287->289 289->258 295 856ae7-856b21 call 85c11b 289->295 295->258 309 8567a1-8567aa call 854100 304->309 310 8567ab-8567b9 304->310 305->304 309->310 310->260 312 8567bb call 85380b 310->312 312->260
                                                                          APIs
                                                                          • Sleep.KERNELBASE(0000EA60), ref: 00856104
                                                                          • RtlEnterCriticalSection.NTDLL(00884FD0), ref: 0085610F
                                                                          • RtlLeaveCriticalSection.NTDLL(00884FD0), ref: 00856120
                                                                            • Part of subcall function 008627C5: _malloc.LIBCMT ref: 008627DD
                                                                          • _memset.LIBCMT ref: 00856480
                                                                          • RtlEnterCriticalSection.NTDLL(00884FD0), ref: 008564A3
                                                                          • RtlLeaveCriticalSection.NTDLL(00884FD0), ref: 008564B4
                                                                          • _malloc.LIBCMT ref: 0085653B
                                                                          • RtlEnterCriticalSection.NTDLL(00884FD0), ref: 0085654D
                                                                          • RtlLeaveCriticalSection.NTDLL(00884FD0), ref: 00856559
                                                                          • _memset.LIBCMT ref: 00856573
                                                                          • _memset.LIBCMT ref: 00856582
                                                                          • _memset.LIBCMT ref: 00856592
                                                                          • _memset.LIBCMT ref: 008565A1
                                                                          • _memset.LIBCMT ref: 008565B0
                                                                          • _malloc.LIBCMT ref: 0085662A
                                                                          • _memset.LIBCMT ref: 0085663B
                                                                          • _strtok.LIBCMT ref: 0085665B
                                                                          • _swscanf.LIBCMT ref: 00856672
                                                                          • _strtok.LIBCMT ref: 00856689
                                                                          • _free.LIBCMT ref: 00856695
                                                                          • Sleep.KERNEL32(000007D0), ref: 00856779
                                                                          • _memset.LIBCMT ref: 008567F2
                                                                          • RtlEnterCriticalSection.NTDLL(00884FD0), ref: 008567FF
                                                                          • RtlLeaveCriticalSection.NTDLL(00884FD0), ref: 00856811
                                                                            • Part of subcall function 0085873B: __EH_prolog.LIBCMT ref: 00858740
                                                                            • Part of subcall function 0085873B: RtlEnterCriticalSection.NTDLL(00000020), ref: 008587BB
                                                                            • Part of subcall function 0085873B: RtlLeaveCriticalSection.NTDLL(00000020), ref: 008587D9
                                                                          • _sprintf.LIBCMT ref: 0085689B
                                                                          • RtlEnterCriticalSection.NTDLL(00000020), ref: 00856960
                                                                          • RtlLeaveCriticalSection.NTDLL(00000020), ref: 00856994
                                                                            • Part of subcall function 00855C11: _malloc.LIBCMT ref: 00855C1F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Offset: 00851000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_851000_mediacodecpack3.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$_memset$EnterLeave$_malloc$Sleep_strtok$H_prolog_free_sprintf_swscanf
                                                                          • String ID: $%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                          • API String ID: 3337033272-2823103634
                                                                          • Opcode ID: ff36a999abe347d3a5985c344dae7f8cfde2d064831a03b01f553890afe2e4a8
                                                                          • Instruction ID: b767fb6a7e62c5a7760333f5c87ffabdf5dee2d28a837daf98d498f6484af029
                                                                          • Opcode Fuzzy Hash: ff36a999abe347d3a5985c344dae7f8cfde2d064831a03b01f553890afe2e4a8
                                                                          • Instruction Fuzzy Hash: 7F122F311083819ED734AB28D856BAFBBE5FF86315F14482DF989D7292EB709448CB53

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 315 401301-40135e FindResourceA 316 401360-401362 315->316 317 401367-40137d SizeofResource 315->317 318 401538-40153c 316->318 319 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 317->319 320 40137f-401381 317->320 325 401407-40140b 319->325 320->318 326 40140d-40141d 325->326 327 40141f-401428 GetTickCount 325->327 326->325 329 401491-401499 327->329 330 40142a-40142e 327->330 331 4014a2-4014a8 329->331 332 401430-401438 330->332 333 40148f 330->333 335 4014f0-401525 GlobalAlloc call 401000 331->335 336 4014aa-4014e8 331->336 334 401441-401447 332->334 333->335 337 401449-401485 334->337 338 40148d 334->338 345 40152a-401535 335->345 339 4014ea 336->339 340 4014ee 336->340 342 401487 337->342 343 40148b 337->343 338->330 339->340 340->331 342->343 343->334 345->318
                                                                          APIs
                                                                          • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                          • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$FindSizeof
                                                                          • String ID:
                                                                          • API String ID: 3019604839-3916222277
                                                                          • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                          • Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
                                                                          • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                          • Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 409 85615e-856161 410 8560f5-856139 Sleep RtlEnterCriticalSection RtlLeaveCriticalSection 409->410 411 856163-856174 409->411 413 85613d-856149 410->413 411->413 413->409
                                                                          APIs
                                                                          • Sleep.KERNELBASE(0000EA60), ref: 00856104
                                                                          • RtlEnterCriticalSection.NTDLL(00884FD0), ref: 0085610F
                                                                          • RtlLeaveCriticalSection.NTDLL(00884FD0), ref: 00856120
                                                                          Strings
                                                                          • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 00856129
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Offset: 00851000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_851000_mediacodecpack3.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeaveSleep
                                                                          • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                          • API String ID: 1566154052-1923541051
                                                                          • Opcode ID: 38ad10d05a7ad106195b5808e8c261844420b8a7d87c67ae597c7b362723441b
                                                                          • Instruction ID: b9e21ba5d861b75f7b998939b720c0a94587a5b9c5d10fe152999f650a94d03d
                                                                          • Opcode Fuzzy Hash: 38ad10d05a7ad106195b5808e8c261844420b8a7d87c67ae597c7b362723441b
                                                                          • Instruction Fuzzy Hash: 6CF0222214CBC08FC7038760AC582A43F70FF5B319B0A00D7E589DB1A7D5995848C3B2

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetVersion.KERNEL32 ref: 00402A46
                                                                            • Part of subcall function 00403B64: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                            • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                          • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                            • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                          • String ID:
                                                                          • API String ID: 2057626494-0
                                                                          • Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                          • Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
                                                                          • Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                          • Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 443 851aa9-851ac3 InterlockedIncrement 444 851ac5-851ad7 WSAStartup InterlockedExchange 443->444 445 851add-851ae0 443->445 444->445
                                                                          APIs
                                                                          • InterlockedIncrement.KERNEL32(0088529C), ref: 00851ABA
                                                                          • WSAStartup.WS2_32(00000002,00000000), ref: 00851ACB
                                                                          • InterlockedExchange.KERNEL32(008852A0,00000000), ref: 00851AD7
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000851000.00000040.00001000.00020000.00000000.sdmp, Offset: 00851000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_851000_mediacodecpack3.jbxd
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Interlocked$ExchangeIncrementStartup
                                                                          • String ID:
                                                                          • API String ID: 1856147945-0
                                                                          • Opcode ID: 7636a364a62019626314946328cc598a51dae1774176c6e2cbd80fefedd46efd
                                                                          • Instruction ID: e61c47a61ff743aa4bed4fef7f529f651d8ef6cd55987370f48fc32141976a94
                                                                          • Opcode Fuzzy Hash: 7636a364a62019626314946328cc598a51dae1774176c6e2cbd80fefedd46efd
                                                                          • Instruction Fuzzy Hash: B3D05E71D44E045FD32177A0AE4EE787BACF705722F800251FD68C42D4EB91A95486A6

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 446 8c4616-8dc3d3 InternetOpenA
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000888000.00000040.00001000.00020000.00000000.sdmp, Offset: 00888000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_888000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: InternetOpen
                                                                          • String ID: U[6
                                                                          • API String ID: 2038078732-2089642770
                                                                          • Opcode ID: 9da12072d43447b64e4a252f4eef385320f2b620410863e90259298203cb1308
                                                                          • Instruction ID: 9edaed27573d516fff0e70ca267aa2e3d03663ca5c21d4200deb26f7537a5762
                                                                          • Opcode Fuzzy Hash: 9da12072d43447b64e4a252f4eef385320f2b620410863e90259298203cb1308
                                                                          • Instruction Fuzzy Hash: 01515FB260C604AFE7156F19ECC5BBAFBE9EF98320F06092DE7D583700D63558508A97

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 450 401897-40d052 453 40d556-40d557 450->453 454 40d058-40d05e 450->454 460 40d55c-40d569 GetStartupInfoA 453->460 455 40d013-40d01c 454->455 457 40d022-40d026 455->457 458 40209b-4020a0 455->458 459 40d71a 457->459 458->455 458->460 461 40d720 459->461 462 401f74-401f79 459->462 460->459 463 40db51 460->463 466 40d724 461->466 464 40dc03-40dc08 call 401301 462->464 463->464 467 40dc0d-40dc15 464->467 466->466
                                                                          APIs
                                                                          • GetStartupInfoA.KERNEL32(0040BC70), ref: 0040D55C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: InfoStartup
                                                                          • String ID: 3h
                                                                          • API String ID: 2571198056-227859408
                                                                          • Opcode ID: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                          • Instruction ID: 03e41e0e2fbe8f3f1350c05a2512de981e85b09ededd3a12d9f5b7d8ff28fd69
                                                                          • Opcode Fuzzy Hash: 024e0850f827c435b8a5028a910d45a29312e1de5a17c3597f685f170630041f
                                                                          • Instruction Fuzzy Hash: 604117B1908246CBD7149B68DE313E677B0E702321F14423E9553B31E2D77C444AEB5E

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 468 401c85-40dc49 RegCreateKeyExA
                                                                          APIs
                                                                          • RegCreateKeyExA.KERNELBASE(80000002,Software\MCodec56,00000000), ref: 0040DC43
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID: Software\MCodec56
                                                                          • API String ID: 2289755597-4241566752
                                                                          • Opcode ID: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                          • Instruction ID: 93077888e0bbcd1fcb5d665c645348ae1621a215fb68b31d801dbfa4ad4509b8
                                                                          • Opcode Fuzzy Hash: f87b7628d3f1b6c01b43e6fa8910d4b250f6bb28f3b3560bcda25592cc6c599b
                                                                          • Instruction Fuzzy Hash: 2CD0A931A9C20AB8F2002A924D0EB721514B708B94F60083B2452B30C6C2B8844BD25B

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 472 401878-401884 RegCloseKey 473 40dcf0-40dcf5 call 402940 472->473 476 40dcfa 473->476 476->476
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: MediaCodecPack
                                                                          • API String ID: 3535843008-199385074
                                                                          • Opcode ID: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                          • Instruction ID: f19db8fe7a91f9339945a850f06442911a31ce16223db01261e704d0ab5d2cd6
                                                                          • Opcode Fuzzy Hash: d1c8d0ac3f500a16e2a1ba87aa97279d6ff8767d919a51834699a3c776ea22fd
                                                                          • Instruction Fuzzy Hash: B4B01221A4C510D7E5282BD05B09D6E34015544720732003B7683391E34FFD040B73EF

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 477 401b93-401ba5 RegSetValueExA RegCloseKey 478 40d143-40d1b8 477->478
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CloseValue
                                                                          • String ID:
                                                                          • API String ID: 3132538880-0
                                                                          • Opcode ID: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                          • Instruction ID: 4c22f98cd7c9e98f077693477baae5e06b4a06b3414cbbd33dac7c18dcee98c1
                                                                          • Opcode Fuzzy Hash: 8d1ffd4e1db30a3de41eb7b4220ffc1c9475fd541d97c53cfaeaf051eb009d7e
                                                                          • Instruction Fuzzy Hash: 34018C7541A5918FC709CB24AFB06A93FB5D64A740705107DD1D6AB273D6384C05EB1D
                                                                          APIs
                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                          • lstrcmpiW.KERNELBASE(?,/chk), ref: 0040E028
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CtrlDispatcherServiceStartlstrcmpi
                                                                          • String ID: /chk
                                                                          • API String ID: 369133424-3837807730
                                                                          • Opcode ID: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                          • Instruction ID: 9673a0ded5c8b983d3e052be02671165733424ab24c3791a3204680fb7a92e49
                                                                          • Opcode Fuzzy Hash: bf94812ca6c332d091ad4b42a885db31f7de2e204c73ca7d6ec59c21a7b81bd2
                                                                          • Instruction Fuzzy Hash: 1DF02434A08356DFDB058BA089146967BB4FB02310B0580FFC486EA197C7388806DF49
                                                                          APIs
                                                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                            • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                          • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                            • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$AllocCreateDestroyVersion
                                                                          • String ID:
                                                                          • API String ID: 2507506473-0
                                                                          • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                          • Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
                                                                          • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                          • Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                          • Instruction ID: 93b9b1974ed41d96b605e6f2543649dec7ed103e9ca7e63d5c00ca61ae8303bf
                                                                          • Opcode Fuzzy Hash: 81c2b33cd779f3770bbade04ffdf75582417cc2f6e97285ea47be6d284f00c90
                                                                          • Instruction Fuzzy Hash: C701EF71E10219CFDB08DF98D8A1AEDB3B1FB09300F55856AE452B72A0C738A848CB15
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFile
                                                                          • String ID:
                                                                          • API String ID: 1304948518-0
                                                                          • Opcode ID: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                          • Instruction ID: ad16e0f938f8472db79b29402d126077d4e772f8cfe65a76779df96d21c81dee
                                                                          • Opcode Fuzzy Hash: 77cee4b6d02c89c83c6c8276e285ea2bf1f63efd6c688e4d25e383538686599e
                                                                          • Instruction Fuzzy Hash: 3AD0A7B548800EBDD708C6419D89EE9239CD708719F2000BB7249F30D0DE3849595A3D
                                                                          APIs
                                                                          • RegQueryValueExA.KERNELBASE(?), ref: 0040D57B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: QueryValue
                                                                          • String ID:
                                                                          • API String ID: 3660427363-0
                                                                          • Opcode ID: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                          • Instruction ID: 26b46432db68fc4713545f90ca74021cbfbc64d50c18903c1266e08affe4bc0b
                                                                          • Opcode Fuzzy Hash: edb662e5df4075614205ad4c2836f805a67019b38716de6e5ac022504569e8d8
                                                                          • Instruction Fuzzy Hash: 1BB092B0D48506EBCB014FA09D04A6DBA71BF44350722483A88A2B1160D7744105AA5A
                                                                          APIs
                                                                          • CreateDirectoryA.KERNELBASE ref: 00401E96
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory
                                                                          • String ID:
                                                                          • API String ID: 4241100979-0
                                                                          • Opcode ID: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                          • Instruction ID: ac672658b327ef22b57dd8096845a6f62d9f9dd2f6b21eb8d4679538076b0d83
                                                                          • Opcode Fuzzy Hash: 3de2052f2a00c726d227e4c4dd3299adb09deae8c3c4f630768cff51d50549a6
                                                                          • Instruction Fuzzy Hash: 61A02220888330FBC0300AB00F0C8283008080838033200333A8B300C088FE080B2B8F
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                          • Instruction ID: caaeb3edd0182b104b1465d8a7214e334b93cb3688170f1009fa56cc25eb67fe
                                                                          • Opcode Fuzzy Hash: 6c15b7e0cb941e7360e5b59663fee49a32cbf71ae8a53d536831a9755e68f830
                                                                          • Instruction Fuzzy Hash: D3A00221954A01AAE1407BB2EB0AB383910A725706F15417B7296790E18E79014A595F
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CopyFile
                                                                          • String ID:
                                                                          • API String ID: 1304948518-0
                                                                          • Opcode ID: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                          • Instruction ID: 13d0081663d5c949863e01e780637134611a7a95a1637e4bbe86339b43f74999
                                                                          • Opcode Fuzzy Hash: 697de28deffca7a8713946bf57d344b2cffb3497efeb3799f2ec22fb237049b3
                                                                          • Instruction Fuzzy Hash: E1900220604101AFD2000B225F4861536A45505B4171A483D5447E0064DA3980496519
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID:
                                                                          • API String ID: 71445658-0
                                                                          • Opcode ID: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                          • Instruction ID: 578dd1ffac1f8e1011a1a5834bce6420265c4f34c8c97087b967ba0ca0ba6dfb
                                                                          • Opcode Fuzzy Hash: 2697fc5bc034a1ffb4056f3d6960c569a4768683e8bbd70c4bae01e5f682b149
                                                                          • Instruction Fuzzy Hash: 20900220604101DAE2040A725A082192654660464571149395447E0150DA3580095D29
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208802181.0000000000888000.00000040.00001000.00020000.00000000.sdmp, Offset: 00888000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_888000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandle
                                                                          • String ID:
                                                                          • API String ID: 2962429428-0
                                                                          • Opcode ID: a2ba5bf3ec68f8546c8cef3c549d8c3cb552de4cdacd178ffc495ce285b27d37
                                                                          • Instruction ID: 9acfd62becb797eb40a75b79661c76db99d97d35494ad81c42c247a4589372b2
                                                                          • Opcode Fuzzy Hash: a2ba5bf3ec68f8546c8cef3c549d8c3cb552de4cdacd178ffc495ce285b27d37
                                                                          • Instruction Fuzzy Hash: 3251BFF26086009FE7097E19DC9577AF7E9EF84324F2A092EE6C583340E63554408A97
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: InfoSleepStartup
                                                                          • String ID:
                                                                          • API String ID: 3346105675-0
                                                                          • Opcode ID: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                          • Instruction ID: 9a29c4e619f7a4d8ed8324ebca556abd9c53da00443e6c512cbb7d8c9fa3b2b6
                                                                          • Opcode Fuzzy Hash: 820f2d36c53b95829267cfd4d46e36cd9cb5e965e78971ddadb887229b3ef415
                                                                          • Instruction Fuzzy Hash: 8FE08670C06245C6D724CEDC97243AAB3306748306F680137D107762D9C23D8D4EDA1F
                                                                          APIs
                                                                          • VirtualAlloc.KERNELBASE(00000000), ref: 0040184D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                          • Instruction ID: 3b235d091506e9fd49973954eb1e1228e6c7b9fea26647d7565d0fb406e94443
                                                                          • Opcode Fuzzy Hash: 91fd1d15897780a22772685a9e9e11523d47d63b978241df2ce472f9aad5acef
                                                                          • Instruction Fuzzy Hash: 16D01271849504DFDF084FF4CA48ADDBF30BB10701F110466E906BA1A1CB7CD947AB05
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040D1CF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                          • Instruction ID: fcb18d1d78468dbf9f57a7137ce4b137392d6aea0d2686bddcdc2e81c808b1ca
                                                                          • Opcode Fuzzy Hash: 8eeb56a042a3dc7536f4384a1371a3b7fda40716cbfa0a1f94c25bc104d3c431
                                                                          • Instruction Fuzzy Hash: 20B09234955B409BE28267A08AC96BC7760AB54300F601522AA12A91C08E785A47A50B
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          • sqlite3_step.SQLITE3 ref: 6096755A
                                                                          • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                          • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                          • sqlite3_step.SQLITE3 ref: 609679C3
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                          • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                          • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                          • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                          • sqlite3_step.SQLITE3 ref: 60967B94
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                          • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                          • memcmp.MSVCRT ref: 60967D4C
                                                                          • sqlite3_free.SQLITE3 ref: 60967D69
                                                                          • sqlite3_free.SQLITE3 ref: 60967D74
                                                                          • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                          • sqlite3_free.SQLITE3 ref: 60968002
                                                                            • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                            • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                            • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                            • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                            • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                          • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                          • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                          • sqlite3_reset.SQLITE3 ref: 60968035
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                          • sqlite3_step.SQLITE3 ref: 609680D1
                                                                          • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                          • sqlite3_reset.SQLITE3 ref: 60968104
                                                                          • sqlite3_step.SQLITE3 ref: 60968139
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                          • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                            • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                          • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                            • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                            • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                            • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                          • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                          • sqlite3_step.SQLITE3 ref: 6096764C
                                                                          • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                          • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                          • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                          • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                          • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                          • sqlite3_step.SQLITE3 ref: 609690E6
                                                                          • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                          • sqlite3_free.SQLITE3 ref: 60969102
                                                                          • sqlite3_free.SQLITE3 ref: 6096910D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID: $d
                                                                          • API String ID: 2451604321-2084297493
                                                                          • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                          • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                          • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                          • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6096A64C
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6096A656
                                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096A682
                                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096A6BC
                                                                          • sqlite3_mprintf.SQLITE3 ref: 6096A6F9
                                                                          • sqlite3_malloc.SQLITE3 ref: 6096A754
                                                                          • sqlite3_step.SQLITE3 ref: 6096A969
                                                                          • sqlite3_free.SQLITE3 ref: 6096A9AC
                                                                          • sqlite3_finalize.SQLITE3 ref: 6096A9BB
                                                                          • sqlite3_strnicmp.SQLITE3 ref: 6096B04A
                                                                            • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                            • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                            • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                          • sqlite3_value_int.SQLITE3 ref: 6096B241
                                                                          • sqlite3_malloc.SQLITE3 ref: 6096B270
                                                                          • sqlite3_bind_null.SQLITE3 ref: 6096B2DF
                                                                          • sqlite3_step.SQLITE3 ref: 6096B2EA
                                                                          • sqlite3_reset.SQLITE3 ref: 6096B2F5
                                                                          • sqlite3_value_int.SQLITE3 ref: 6096B43B
                                                                          • sqlite3_value_text.SQLITE3 ref: 6096B530
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6096B576
                                                                          • sqlite3_free.SQLITE3 ref: 6096B5F4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stepsqlite3_strnicmp$sqlite3_freesqlite3_mallocsqlite3_resetsqlite3_value_bytessqlite3_value_intsqlite3_value_text$sqlite3_bind_intsqlite3_bind_nullsqlite3_finalizesqlite3_mprintf
                                                                          • String ID: optimize
                                                                          • API String ID: 1540667495-3797040228
                                                                          • Opcode ID: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                          • Instruction ID: 15d53f9c7948a495e2c6926a79545eea34293df74e7a3e63ea56b3727437b729
                                                                          • Opcode Fuzzy Hash: ab382b16e3f59fac809a38361d516dac1e6c4c02a096abfb60effccae4f38c9b
                                                                          • Instruction Fuzzy Hash: 54B2F670A142198FEB14DF68C890B9DBBF6BF68304F1085A9E889AB351E774DD85CF41
                                                                          APIs
                                                                          • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                          • sqlite3_free.SQLITE3 ref: 60966183
                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                          • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                          • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                          • memcmp.MSVCRT ref: 6096639E
                                                                            • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                            • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                          • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                          • String ID: ASC$DESC$x
                                                                          • API String ID: 4082667235-1162196452
                                                                          • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                          • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                          • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                          • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096882B
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60968842
                                                                          • sqlite3_step.SQLITE3 ref: 6096884D
                                                                          • sqlite3_reset.SQLITE3 ref: 60968858
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968907
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60968924
                                                                          • sqlite3_step.SQLITE3 ref: 6096892F
                                                                          • sqlite3_column_blob.SQLITE3 ref: 60968947
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 6096895C
                                                                          • sqlite3_column_int64.SQLITE3 ref: 60968975
                                                                          • sqlite3_reset.SQLITE3 ref: 609689B0
                                                                            • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                            • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                            • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                            • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                            • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                          • sqlite3_free.SQLITE3 ref: 60968A68
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B00
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B2D
                                                                          • sqlite3_step.SQLITE3 ref: 60968B38
                                                                          • sqlite3_reset.SQLITE3 ref: 60968B43
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968B9F
                                                                          • sqlite3_bind_blob.SQLITE3 ref: 60968BC8
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60968BEF
                                                                          • sqlite3_bind_int.SQLITE3 ref: 60968C0C
                                                                          • sqlite3_step.SQLITE3 ref: 60968C17
                                                                          • sqlite3_reset.SQLITE3 ref: 60968C22
                                                                          • sqlite3_free.SQLITE3 ref: 60968C2F
                                                                          • sqlite3_free.SQLITE3 ref: 60968C3A
                                                                            • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164E9
                                                                            • Part of subcall function 60916390: sqlite3_free.SQLITE3 ref: 609164F4
                                                                            • Part of subcall function 6095F772: sqlite3_bind_int64.SQLITE3 ref: 6095F7AC
                                                                            • Part of subcall function 6095F772: sqlite3_bind_blob.SQLITE3 ref: 6095F7D5
                                                                            • Part of subcall function 6095F772: sqlite3_step.SQLITE3 ref: 6095F7E0
                                                                            • Part of subcall function 6095F772: sqlite3_reset.SQLITE3 ref: 6095F7EB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64$sqlite3_free$sqlite3_resetsqlite3_step$sqlite3_bind_int$sqlite3_bind_blob$sqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_column_blobsqlite3_column_bytessqlite3_column_int64sqlite3_malloc
                                                                          • String ID:
                                                                          • API String ID: 2526640242-0
                                                                          • Opcode ID: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                                          • Instruction ID: ecb2fadc30329ad4410b738d56806f6ecd0ac298638076f7c65242d8805d2ed1
                                                                          • Opcode Fuzzy Hash: 80c4178694f9100467d9f8914e06a53f74e1fc263bd09a9052fbc3a5e85adfd3
                                                                          • Instruction Fuzzy Hash: A0D1C2B4A153189FDB14DF68C884B8EBBF2BFA9304F118599E888A7344E774D985CF41
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                          • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                          • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                            • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                            • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                            • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                            • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                          • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                          • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                          • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                          • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                          • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                          • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                          • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                          • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                            • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                          • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                          • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                          • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                          • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                          • String ID:
                                                                          • API String ID: 961572588-0
                                                                          • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                          • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                          • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                          • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                          • String ID: 2$foreign key$indexed
                                                                          • API String ID: 4126863092-702264400
                                                                          • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                          • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                          • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                          • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094A72B
                                                                          • sqlite3_step.SQLITE3 ref: 6094A73C
                                                                          • sqlite3_column_blob.SQLITE3 ref: 6094A760
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 6094A77C
                                                                          • sqlite3_malloc.SQLITE3 ref: 6094A793
                                                                          • sqlite3_reset.SQLITE3 ref: 6094A7F2
                                                                          • sqlite3_free.SQLITE3(?), ref: 6094A87C
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_column_blobsqlite3_column_bytessqlite3_freesqlite3_mallocsqlite3_mutex_entersqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 2794791986-0
                                                                          • Opcode ID: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                          • Instruction ID: 088d5e00ded46b3eb5457b54e5d33bc48436a4b712d77f6ae5dc1ca3eb859b7b
                                                                          • Opcode Fuzzy Hash: 324244e72ed1eb068e97444324dd06558e7f5640642cd65f7376e38a8826fd77
                                                                          • Instruction Fuzzy Hash: BE5110B5A042058FCB04CF69C48069ABBF6FF68318F158569E858AB345D734EC82CF90
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp
                                                                          • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                          • API String ID: 912767213-1308749736
                                                                          • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                          • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                          • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                          • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                          • sqlite3_step.SQLITE3 ref: 6094B496
                                                                          • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                          • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                          • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                            • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                          • String ID:
                                                                          • API String ID: 4082478743-0
                                                                          • Opcode ID: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                          • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                          • Opcode Fuzzy Hash: aa77e302053f557c70a8d8c80c1bb3ccc0b69d7e46be98bddd9db9cb48891f7f
                                                                          • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                            • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                          • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: BINARY$INTEGER
                                                                          • API String ID: 317512412-1676293250
                                                                          • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                          • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                          • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                          • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B582
                                                                          • sqlite3_step.SQLITE3 ref: 6094B590
                                                                          • sqlite3_column_int64.SQLITE3 ref: 6094B5AD
                                                                          • sqlite3_reset.SQLITE3 ref: 6094B5EE
                                                                          • memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: memmovesqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 2802900177-0
                                                                          • Opcode ID: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                          • Instruction ID: fa681a173a9aa7ad5377a8f3376375fc0286f70c891b696e42c92f52458a3a0e
                                                                          • Opcode Fuzzy Hash: f7dd783d858009ac2aa36dfb06bc3a4e86bc75c1920f7d1bf53ec4d0fe99899e
                                                                          • Instruction Fuzzy Hash: 0B517D75A082018FCB14CF69C48169EF7F7FBA8314F25C669D8499B318EA74EC81CB81
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                            • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                          • String ID:
                                                                          • API String ID: 4038589952-0
                                                                          • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                          • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                          • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                          • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                          APIs
                                                                            • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                            • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                            • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                            • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094C719
                                                                          • sqlite3_step.SQLITE3 ref: 6094C72A
                                                                          • sqlite3_reset.SQLITE3 ref: 6094C73B
                                                                            • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                            • Part of subcall function 6094A9F5: sqlite3_free.SQLITE3 ref: 6094AA7A
                                                                          • sqlite3_free.SQLITE3 ref: 6094C881
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_freesqlite3_resetsqlite3_step$memmovesqlite3_column_int64
                                                                          • String ID:
                                                                          • API String ID: 3487101843-0
                                                                          • Opcode ID: 5f7c6ccdcb237f7a487fb09799aacf08d073da1bf61c53431d7ccff799043987
                                                                          • Instruction ID: dadb85a3919e548a164012fc2e04d9b0ab11445217433cc10b515e99a95ed5c3
                                                                          • Opcode Fuzzy Hash: 5f7c6ccdcb237f7a487fb09799aacf08d073da1bf61c53431d7ccff799043987
                                                                          • Instruction Fuzzy Hash: 3681FA74A046098FCB44DF99C480A9DF7F7AFA8354F258529E855AB314EB34EC46CF90
                                                                          APIs
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                            • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                          • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                          • sqlite3_step.SQLITE3 ref: 6096A435
                                                                          • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 247099642-0
                                                                          • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                          • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                          • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                          • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                          APIs
                                                                            • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                            • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                            • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                          • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                            • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                          • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                          • String ID:
                                                                          • API String ID: 326482775-0
                                                                          • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                          • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                          • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                          • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B71E
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 6094B73C
                                                                          • sqlite3_step.SQLITE3 ref: 6094B74A
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64$sqlite3_mutex_leavesqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 3305529457-0
                                                                          • Opcode ID: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                          • Instruction ID: cea3564161c85327b61b62d60446574847d05a2bcfebeda4641ea5396b37aa5a
                                                                          • Opcode Fuzzy Hash: dc92f9052f14c19b23696c87723feab2593fd922d888b89f432a916288e70c30
                                                                          • Instruction Fuzzy Hash: D401A8B45047049FCB00DF19D9C968ABBE5FF98354F158869FC888B305D374E8548BA6
                                                                          APIs
                                                                          • CreateServiceA.ADVAPI32 ref: 00401CFB
                                                                          • CloseServiceHandle.ADVAPI32(00000000), ref: 00401EEA
                                                                          • CloseServiceHandle.ADVAPI32(?), ref: 0040D23C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Service$CloseHandle$Create
                                                                          • String ID:
                                                                          • API String ID: 2095555506-0
                                                                          • Opcode ID: 798336170624c8ac89b9a2c31719ae8e1c376ef6816bfeab9d8cee1d71777bcc
                                                                          • Instruction ID: 94f379f039eced8726fb3cb338ec06236e1c18fcefb958c6377dd5f00325babe
                                                                          • Opcode Fuzzy Hash: 798336170624c8ac89b9a2c31719ae8e1c376ef6816bfeab9d8cee1d71777bcc
                                                                          • Instruction Fuzzy Hash: A6D09E31D44114EACF201BD19D48D6E2E79A7443A4F2504BAE501760F0C6799946FA5A
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1477753154-0
                                                                          • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                          • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                          • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                          • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609255B2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                          • Instruction ID: 19c4c58ecb434a21204d9b38047e93a23a7f28015e8477a734fda6841bb58fe8
                                                                          • Opcode Fuzzy Hash: 61f2b65abbb078f396bfa931b2809e4962fa985140118a0fa907d432528e7d54
                                                                          • Instruction Fuzzy Hash: 56317AB4A082188FCB04DF69D880A8EBBF6FF99314F008559FC5897348D734D940CBA5
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                          • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                          • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                          • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                          • Instruction ID: 4fd0dfe8dd6226820e052206e0db6187a6d8a97f2116fb4a305c2fd2856f8961
                                                                          • Opcode Fuzzy Hash: ebbe32869a67294cb2d54c108597a832b3743d43329dcf341f64f2493053d601
                                                                          • Instruction Fuzzy Hash: 94F08CB5A002099BCB00DF2AD88088ABBBAFF98264B05952AEC049B314D770E941CBD0
                                                                          APIs
                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040DF4C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CtrlDispatcherServiceStart
                                                                          • String ID:
                                                                          • API String ID: 3789849863-0
                                                                          • Opcode ID: 4fe4cdbd69d76611cbe8f8d839fbcf879ed414cccbfa791050e202b1d5f79f32
                                                                          • Instruction ID: da040a5c410dac6804bc47ba04513fdabb8688a912b3c46f63b6c3d26f8cee3d
                                                                          • Opcode Fuzzy Hash: 4fe4cdbd69d76611cbe8f8d839fbcf879ed414cccbfa791050e202b1d5f79f32
                                                                          • Instruction Fuzzy Hash: B7E09A30811919DBDB50AF60DE887DA73B4FB82751F0081F6C84AB6191C7308A9ACF9A
                                                                          APIs
                                                                            • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925678
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1465156292-0
                                                                          • Opcode ID: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                          • Instruction ID: bc2fa39936d9f4ed0ba1ebf98b65e017ff83ed2bbf5e058a49948814e7f33c49
                                                                          • Opcode Fuzzy Hash: 20ce1548f611e36a3668a48b9975394e1a388ab84833d9cb320a678b216caf11
                                                                          • Instruction Fuzzy Hash: 59E0EC74A042089BCB04DF6AD4C194AB7F9EF58258B14D665EC458B309E231E9858BC1
                                                                          APIs
                                                                          • sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                            • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 3064317574-0
                                                                          • Opcode ID: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                          • Instruction ID: 7a9bf9350bb0d435b7485bd9c083abc2dab3a9c90cc7cce47300d03dda88f0d0
                                                                          • Opcode Fuzzy Hash: 8bfbb127be37b3944cf6aee767a60d103abce584902525ba566a621f413e0d82
                                                                          • Instruction Fuzzy Hash: FFD092B4909309AFCB00EF29C48644EBBE5AF98258F40C82DFC98C7314E274E8408F92
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b3572c4825024628219a14e3466c11b8526f5c245e45a2c5ada6b05d28a57a2
                                                                          • Instruction ID: 77de89feb31afb9f7e0b899b04aa460afec8cc02b7427acd4b9af8aa9f5f91e1
                                                                          • Opcode Fuzzy Hash: 7b3572c4825024628219a14e3466c11b8526f5c245e45a2c5ada6b05d28a57a2
                                                                          • Instruction Fuzzy Hash: A8E0BF7AD554658FCB00CA6DD9949EEBB70AA0472971A4145AC5037385C234AC41C6D1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                          • Instruction ID: 29002ccca7877ead4b7e7e784383ace88c03f26ddf616943a2b43c0eb71ea2e3
                                                                          • Opcode Fuzzy Hash: 5c5aa561fe8b7943dde2a358ba30c2c8876ef78bddd50c77f68009583e67d90a
                                                                          • Instruction Fuzzy Hash: 36E0E2B850430DABDF00CF09D8C188A7BAAFB08364F10C119FC190B305C371E9548BA1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                          • Instruction ID: a276b763828cd9d21177d39229c24ef0f5c00ef14d0f26540801fec71d9d5410
                                                                          • Opcode Fuzzy Hash: c82c79c3d673ce5d83164ffe7b594e49b00bd73c00824d0aa5044480003c1f0d
                                                                          • Instruction Fuzzy Hash: 29E0E2B850430DABDF00CF09D8C198A7BAAFB08264F10C119FC190B304C331E9148BE1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                          • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                          • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                          • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                          APIs
                                                                          • sqlite3_initialize.SQLITE3 ref: 6096C5BE
                                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_log.SQLITE3 ref: 6096C5FC
                                                                          • sqlite3_free.SQLITE3 ref: 6096C67E
                                                                          • sqlite3_free.SQLITE3 ref: 6096CD71
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6096CD80
                                                                          • sqlite3_errcode.SQLITE3 ref: 6096CD88
                                                                          • sqlite3_close.SQLITE3 ref: 6096CD97
                                                                          • sqlite3_create_function.SQLITE3 ref: 6096CDF8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_closesqlite3_create_functionsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: BINARY$NOCASE$RTRIM$porter$rtree$rtree_i32$simple
                                                                          • API String ID: 1320758876-2501389569
                                                                          • Opcode ID: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                          • Instruction ID: 66f98c4e8467cc0752991b2fada45a5d6d89a43a55ba94f1559c09c68fc79e30
                                                                          • Opcode Fuzzy Hash: 6bfcb0ec024900a9d9b4e92c8a495cd7f0e11888819caa106d9e2d842adf35f2
                                                                          • Instruction Fuzzy Hash: 7A024BB05183019BEB119F64C49536ABFF6BFA1348F11882DE8959F386D7B9C845CF82
                                                                          APIs
                                                                          • sqlite3_free.SQLITE3 ref: 609264C9
                                                                          • sqlite3_free.SQLITE3 ref: 60926526
                                                                          • sqlite3_free.SQLITE3 ref: 6092652E
                                                                          • sqlite3_free.SQLITE3 ref: 60926550
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                            • Part of subcall function 6090AFF5: sqlite3_free.SQLITE3 ref: 6090B09A
                                                                          • sqlite3_free.SQLITE3 ref: 60926626
                                                                          • sqlite3_win32_mbcs_to_utf8.SQLITE3 ref: 6092662E
                                                                          • sqlite3_free.SQLITE3 ref: 60926638
                                                                          • sqlite3_snprintf.SQLITE3 ref: 6092666B
                                                                          • sqlite3_free.SQLITE3 ref: 60926673
                                                                          • sqlite3_snprintf.SQLITE3 ref: 609266B8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                          • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                          • API String ID: 937752868-2111127023
                                                                          • Opcode ID: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                          • Instruction ID: 28f04709130b2e8b140c84fcd32bad5e17fba194e1ccee1aab8ced89c5ccf9cf
                                                                          • Opcode Fuzzy Hash: 76700054f020c8d7fe753577c30eef17e659d67ca67044e42639e839992701d7
                                                                          • Instruction Fuzzy Hash: EA712E706183058FE700AF69D88465DBFF6AFA5748F00C82DE8999B314E778C845DF92
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc$sqlite3_freesqlite3_vfs_find
                                                                          • String ID: @$access$cache
                                                                          • API String ID: 4158134138-1361544076
                                                                          • Opcode ID: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                          • Instruction ID: 35071b2ec389daa84eb338d99e29a1052eb2425681bc363379ff67fe3f9a0dd7
                                                                          • Opcode Fuzzy Hash: 19065094f7a61ae5fa0f118773a69bd69932ab9bc71fb499c0e2e31449818374
                                                                          • Instruction Fuzzy Hash: 27D19E75D183458BDB11CF69E58039EBBF7AFAA304F20846ED4949B349D339D882CB52
                                                                          APIs
                                                                          Strings
                                                                          • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                          • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                          • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                          • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                          • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                          • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                          • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                          • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                          • BEGIN;, xrefs: 609485DB
                                                                          • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                          • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                          • API String ID: 632333372-52344843
                                                                          • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                          • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                          • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                          • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                          APIs
                                                                          • RegisterServiceCtrlHandlerA.ADVAPI32(MediaCodecPack,Function_000019C8), ref: 00401A25
                                                                          • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401A84
                                                                          • GetLastError.KERNEL32 ref: 00401A86
                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00401A93
                                                                          • GetLastError.KERNEL32 ref: 00401AB4
                                                                          • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401AE4
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_00001897,00000000,00000000,00000000), ref: 00401AF0
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00401AF9
                                                                          • CloseHandle.KERNEL32 ref: 00401B05
                                                                          • SetServiceStatus.ADVAPI32(0040BE40), ref: 00401B2E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
                                                                          • String ID: MediaCodecPack
                                                                          • API String ID: 3346042915-199385074
                                                                          • Opcode ID: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                          • Instruction ID: 532dd47a677431e4b3997e11c6aba14a110aa56271c5c3b89ba5cdee744870bf
                                                                          • Opcode Fuzzy Hash: cca009b725d80f918f5385075355cc3301aa37e01b24cb08a35ee5e129ff42f2
                                                                          • Instruction Fuzzy Hash: D621B8B1501244ABD3206F16EF48E967FB8EB95B55B15403EE245B23B1CBF90444CBED
                                                                          APIs
                                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                          • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                          • sqlite3_free.SQLITE3 ref: 609605EA
                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                          • sqlite3_free.SQLITE3 ref: 60960618
                                                                          • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                          • String ID: offsets
                                                                          • API String ID: 463808202-2642679573
                                                                          • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                          • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                          • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                          • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                          • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                          • String ID:
                                                                          • API String ID: 2903785150-0
                                                                          • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                          • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                          • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                          • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_malloc
                                                                          • String ID:
                                                                          • API String ID: 423083942-0
                                                                          • Opcode ID: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                          • Instruction ID: dba10035f3c017a022ff92dc0406edc4c972eb6647695f7afdbed5011b3e14eb
                                                                          • Opcode Fuzzy Hash: 039a1925b88827ab71129b12bf0a0cfd7bb9a75e2f5fb5313a60c0869b9e4a18
                                                                          • Instruction Fuzzy Hash: 9112E3B4A15218CFCB18CF98D480A9EBBF6BF98304F24855AD855AB319D774EC42CF90
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                          • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                          • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                          • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                          • String ID:
                                                                          • API String ID: 3556715608-0
                                                                          • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                          • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                          • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                          • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 6095F645
                                                                          • sqlite3_exec.SQLITE3 ref: 6095F686
                                                                            • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                          • sqlite3_free_table.SQLITE3 ref: 6095F6A0
                                                                          • sqlite3_mprintf.SQLITE3 ref: 6095F6C7
                                                                            • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                            • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                          • sqlite3_free.SQLITE3 ref: 6095F6B4
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_free.SQLITE3 ref: 6095F6D4
                                                                          • sqlite3_free.SQLITE3 ref: 6095F6ED
                                                                          • sqlite3_free_table.SQLITE3 ref: 6095F6FF
                                                                          • sqlite3_realloc.SQLITE3 ref: 6095F71B
                                                                          • sqlite3_free_table.SQLITE3 ref: 6095F72D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_free_table$sqlite3_execsqlite3_initializesqlite3_logsqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_reallocsqlite3_vmprintf
                                                                          • String ID:
                                                                          • API String ID: 1866449048-0
                                                                          • Opcode ID: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                          • Instruction ID: 9ac78cbffd0e0cf27e5d0fdbf17c3a3d034f00011a14f89e76d08e502163788c
                                                                          • Opcode Fuzzy Hash: 2addae8d4502475aa330d0fbe12d9077f3fed0f055932ab6dac269a256a03500
                                                                          • Instruction Fuzzy Hash: 8751F1B49467099FDB01DF69D59178EBBF6FF68318F104429E884AB300D379D894CB91
                                                                          APIs
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407B4
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407C2
                                                                            • Part of subcall function 6094064B: sqlite3_mutex_enter.SQLITE3 ref: 609406A7
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407D0
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407DE
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407EC
                                                                          • sqlite3_finalize.SQLITE3 ref: 609407FA
                                                                          • sqlite3_finalize.SQLITE3 ref: 60940808
                                                                          • sqlite3_finalize.SQLITE3 ref: 60940816
                                                                          • sqlite3_finalize.SQLITE3 ref: 60940824
                                                                          • sqlite3_free.SQLITE3 ref: 6094082C
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_finalize$sqlite3_logsqlite3_mutex_enter$sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 14011187-0
                                                                          • Opcode ID: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                          • Instruction ID: 14c977e837db455c9c1ce3b69ce7d4e0fb0da6313972e550a4586d0eb1b189ee
                                                                          • Opcode Fuzzy Hash: d36625bd4fa8924ea0abcbec615d2e266582c2e39b3be902bd1f9101c01d6c45
                                                                          • Instruction Fuzzy Hash: F7116774504B008BCB50BF78C9C965877E9AFB5308F061978EC8A8F306EB34D4918B15
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00403EF1,?,Microsoft Visual C++ Runtime Library,00012010,?,00408574,?,004085C4,?,?,?,Runtime Error!Program: ), ref: 004060FA
                                                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00406112
                                                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00406123
                                                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00406130
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$LibraryLoad
                                                                          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                          • API String ID: 2238633743-4044615076
                                                                          • Opcode ID: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                          • Instruction ID: 36fb3fed3a384cff097ea3fb9e63704b9da04faa094e7ece228342700e77c082
                                                                          • Opcode Fuzzy Hash: 30dd77c3664451088d9a49f7b1ebdf2ed2115b5f614d26e279abac0bd39ca4ff
                                                                          • Instruction Fuzzy Hash: E5018431700211DBC7109FB59FC0A177BE99A997C0712093FB646FA2A3DA7C88158FAD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                          • API String ID: 0-780898
                                                                          • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                          • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                          • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                          • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                          • API String ID: 0-2604012851
                                                                          • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                          • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                          • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                          • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                          APIs
                                                                          • LCMapStringW.KERNEL32(00000000,00000100,00408640,00000001,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 00406409
                                                                          • LCMapStringA.KERNEL32(00000000,00000100,0040863C,00000001,00000000,00000000,?,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406425
                                                                          • LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00405E87,?,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 0040646E
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00405E87,00200020,00000000,?,00000000,00000000), ref: 004064A6
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004064FE
                                                                          • LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 00406514
                                                                          • LCMapStringW.KERNEL32(00000000,?,00405E87,00000000,00405E87,?,?,00405E87,00200020,00000000,?,00000000), ref: 00406547
                                                                          • LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00405E87,00200020,00000000,?,00000000), ref: 004065AF
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: String$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 352835431-0
                                                                          • Opcode ID: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                          • Instruction ID: d42c4ff00bdcea80f115aa50461d5d245c16a81543514470c81a73783c2cd3a2
                                                                          • Opcode Fuzzy Hash: 9c7cee020c542fb800dbf7d144ed3697215e486a5166d3a559f4f8a108ac6f85
                                                                          • Instruction Fuzzy Hash: 4A517B71900209FFCF229F58DD49A9F7BB9FB48750F11413AF912B12A0D7398961DBA8
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: memcmp$sqlite3_logsqlite3_mutex_try
                                                                          • String ID: 0$SQLite format 3
                                                                          • API String ID: 3174206576-3388949527
                                                                          • Opcode ID: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                          • Instruction ID: d3cc03899c2fb96d27ccc41cf7ad58ff30b38a29db2c3208110d6cb2c70dce50
                                                                          • Opcode Fuzzy Hash: e2a376b1a29b79c4f9f51ec04e7584e9c4e5062bfe0a82991cc629df80cc0a0f
                                                                          • Instruction Fuzzy Hash: A3028BB0A082659BDB09CF68D48178ABBF7FFA5308F148269E8459B345DB74DC85CF81
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                          • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                          • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                          • sqlite3_free.SQLITE3 ref: 6095F180
                                                                            • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                            • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                          • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                          • String ID: |
                                                                          • API String ID: 1576672187-2343686810
                                                                          • Opcode ID: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                          • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                          • Opcode Fuzzy Hash: 45796efa6547682f16092b9fa288c01422e20de86ab54653b6df12e990b05c38
                                                                          • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                          APIs
                                                                          • sqlite3_file_control.SQLITE3 ref: 609537BD
                                                                          • sqlite3_free.SQLITE3 ref: 60953842
                                                                          • sqlite3_free.SQLITE3 ref: 6095387C
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_stricmp.SQLITE3 ref: 609538D4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_file_controlsqlite3_mutex_entersqlite3_stricmp
                                                                          • String ID: 6$timeout
                                                                          • API String ID: 2671017102-3660802998
                                                                          • Opcode ID: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                          • Instruction ID: da3e9078838fdf1f068eeacc94130b5fe058058c2a53432068b0843c8cdd1fdd
                                                                          • Opcode Fuzzy Hash: 8cffcba2199636318c40f61931f0f453c1b4c4e8a0677f5b7de6569c291e0b77
                                                                          • Instruction Fuzzy Hash: 6CA11270A083198BDB15CF6AC88079EBBF6BFA9304F10846DE8589B354D774D885CF41
                                                                          APIs
                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                            • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                          • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                          • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                          • API String ID: 652164897-1572359634
                                                                          • Opcode ID: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                          • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                          • Opcode Fuzzy Hash: 7664a015b2dc01db37cf12657f922778db359f6c70a1ba93bfebbfbe3581116b
                                                                          • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                          APIs
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00403E3A
                                                                          • GetStdHandle.KERNEL32(000000F4,00408574,00000000,?,00000000,00000000), ref: 00403F10
                                                                          • WriteFile.KERNEL32(00000000), ref: 00403F17
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: File$HandleModuleNameWrite
                                                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                          • API String ID: 3784150691-4022980321
                                                                          • Opcode ID: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                          • Instruction ID: 1325ef8c40c3fac29ee6baa2b36e74f90486e8040fe1898f7fb10d69898ee010
                                                                          • Opcode Fuzzy Hash: 04cfe4ace2dd9675a620efbbcb8461293764693c9a36d9750f915388fa73d055
                                                                          • Instruction Fuzzy Hash: 3331C172A002186FDF24EA60DE4AFEA776CAB45304F10057FF584F61D1DAB8AE448A5D
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                          • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                          • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                          • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                          • String ID:
                                                                          • API String ID: 2352520524-0
                                                                          • Opcode ID: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                          • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                          • Opcode Fuzzy Hash: bf61c68f4ce88464188c3b4ec21cbec410585f797eaf5b0aff599f1fc01aebfc
                                                                          • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                          APIs
                                                                            • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                            • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                            • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                            • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                          • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                            • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                            • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                            • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                          • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                          • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                          • String ID: optimize
                                                                          • API String ID: 3659050757-3797040228
                                                                          • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                          • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                          • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                          • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                          APIs
                                                                          • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                          • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                          • sqlite3_reset.SQLITE3 ref: 60965556
                                                                          • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                          • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                          • sqlite3_free.SQLITE3 ref: 60965714
                                                                          • sqlite3_free.SQLITE3 ref: 6096574B
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_free.SQLITE3 ref: 609657AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 2722129401-0
                                                                          • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                          • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                          • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                          • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                            • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                          • sqlite3_free.SQLITE3 ref: 609647C5
                                                                            • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                          • sqlite3_free.SQLITE3 ref: 6096476B
                                                                            • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                          • sqlite3_free.SQLITE3 ref: 6096477B
                                                                          • sqlite3_free.SQLITE3 ref: 60964783
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 571598680-0
                                                                          • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                          • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                          • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                          • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                          APIs
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040372D
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 00403741
                                                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 0040376D
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037A5
                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037C7
                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00402AA4), ref: 004037E0
                                                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00402AA4), ref: 004037F3
                                                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00403831
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                          • String ID:
                                                                          • API String ID: 1823725401-0
                                                                          • Opcode ID: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                          • Instruction ID: 45b108152198534a65e95edcfca0b8ba0a54c8eec5aa0c4c05c1d64ec2385aa0
                                                                          • Opcode Fuzzy Hash: 7f1ee2c931afbeb2bcd72820eb8f065979dd47f7a99393091ec5d7620f58e433
                                                                          • Instruction Fuzzy Hash: 2131D2F35082619ED7203F745DC483BBE9CEA4530A715453FF981F3280DA795D4286A9
                                                                          APIs
                                                                          • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                            • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                          • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                          • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                          • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                          • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                          • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                          • sqlite3_free.SQLITE3 ref: 60963621
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                          • String ID:
                                                                          • API String ID: 4276469440-0
                                                                          • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                          • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                          • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                          • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                          APIs
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                          Strings
                                                                          • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                          • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                          • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                          • API String ID: 4080917175-264706735
                                                                          • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                          • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                          • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                          • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                          APIs
                                                                            • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                          • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                          • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: library routine called out of sequence$out of memory
                                                                          • API String ID: 2019783549-3029887290
                                                                          • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                          • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                          • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                          • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                          APIs
                                                                          • sqlite3_finalize.SQLITE3 ref: 609406E3
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940672
                                                                            • Part of subcall function 6094064B: sqlite3_log.SQLITE3 ref: 60940696
                                                                          • sqlite3_free.SQLITE3 ref: 609406F7
                                                                          • sqlite3_free.SQLITE3 ref: 60940705
                                                                          • sqlite3_free.SQLITE3 ref: 60940713
                                                                          • sqlite3_free.SQLITE3 ref: 6094071E
                                                                          • sqlite3_free.SQLITE3 ref: 60940729
                                                                          • sqlite3_free.SQLITE3 ref: 6094073C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_log$sqlite3_finalize
                                                                          • String ID:
                                                                          • API String ID: 1159759059-0
                                                                          • Opcode ID: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                          • Instruction ID: 8ceab58ab7f3fb7faec85fb80e78016d1f3d655de586deaf1cb04ee1bc4e3406
                                                                          • Opcode Fuzzy Hash: 19269ae46022e444f8470c890b78f38089a522c4155da373e534dfec766a18bc
                                                                          • Instruction Fuzzy Hash: C801E8B45447108BDB00AF78C4C5A59BBE5EF79B18F06096DECCA8B305D734D8809B91
                                                                          APIs
                                                                          • GetStringTypeW.KERNEL32(00000001,00408640,00000001,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 004062BD
                                                                          • GetStringTypeA.KERNEL32(00000000,00000001,0040863C,00000001,?,?,00000000,00000000,00000001), ref: 004062D7
                                                                          • GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 0040630B
                                                                          • MultiByteToWideChar.KERNEL32(00405E87,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00405E87,00200020,00000000,?,00000000,00000000,00000001), ref: 00406343
                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406399
                                                                          • GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004063AB
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: StringType$ByteCharMultiWide
                                                                          • String ID:
                                                                          • API String ID: 3852931651-0
                                                                          • Opcode ID: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                          • Instruction ID: 1973b5c1488275f86b32e201772009c48c68fd6130b56f6c31499d13724d529d
                                                                          • Opcode Fuzzy Hash: d203232162232c56530dc1c9e7ac7d7ca2f1092592616d16a6b156e600e46040
                                                                          • Instruction Fuzzy Hash: 97418E72500219EFDF119F94DE86AAF3F78EB04350F11453AFA52F6290C73989608BE8
                                                                          APIs
                                                                          • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                            • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                          • sqlite3_log.SQLITE3 ref: 609498F5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                          • String ID: List of tree roots: $d$|
                                                                          • API String ID: 3709608969-1164703836
                                                                          • Opcode ID: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                          • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                          • Opcode Fuzzy Hash: 316fa83f4dc1e403b3b617744d66ff6f9af545e53e2752a9ff9486d467efffaf
                                                                          • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                          APIs
                                                                            • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                            • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                            • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                            • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                          • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                          • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                          • sqlite3_free.SQLITE3 ref: 6096029A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                          • String ID: e
                                                                          • API String ID: 786425071-4024072794
                                                                          • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                          • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                          • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                          • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                          APIs
                                                                          • GetVersionExA.KERNEL32 ref: 00403A3B
                                                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00403A70
                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403AD0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                          • API String ID: 1385375860-4131005785
                                                                          • Opcode ID: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                          • Instruction ID: 8e0d8efe135bd9bd4ab90b631ae35de0fa5087430b450c3f58eab12f6465c816
                                                                          • Opcode Fuzzy Hash: 0f37da7df256ea2bf10cd5595ffbc211f3aae08b662fce8f1d53329a7b1a0cb3
                                                                          • Instruction Fuzzy Hash: BD3102319012886DEB319A745C46B9B7F6C9B02309F2404FBE185F52C3E6389F89CB1D
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_exec
                                                                          • String ID: sqlite_master$sqlite_temp_master$|
                                                                          • API String ID: 2141490097-2247242311
                                                                          • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                          • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                          • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                          • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$memcmpsqlite3_realloc
                                                                          • String ID:
                                                                          • API String ID: 3422960571-0
                                                                          • Opcode ID: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                          • Instruction ID: 3b390e38dde49c5924589a602beaf2ee173d98914be71c714148da16d267e2cf
                                                                          • Opcode Fuzzy Hash: 50eda45380483794e32bdd730fc6b6b580c41d30328003452ec2c22d7d846426
                                                                          • Instruction Fuzzy Hash: 42B1D0B4E142189BEB05CFA9C5807DDBBF6BFA8304F148429E858A7344D374E946CF91
                                                                          APIs
                                                                            • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                          • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                          • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                          • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                          • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                            • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                            • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                            • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                            • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID:
                                                                          • API String ID: 683514883-0
                                                                          • Opcode ID: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                          • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                          • Opcode Fuzzy Hash: 3036fcfce1ee653ed62d56f61367963e4d2afc4bfe1ca560103df060be3b8356
                                                                          • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                          APIs
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                          • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                          • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                          • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                          • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                            • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                            • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 1903298374-0
                                                                          • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                          • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                          • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                          • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                          APIs
                                                                          • GetStartupInfoA.KERNEL32(?), ref: 0040389D
                                                                          • GetFileType.KERNEL32(00000800), ref: 00403943
                                                                          • GetStdHandle.KERNEL32(-000000F6), ref: 0040399C
                                                                          • GetFileType.KERNEL32(00000000), ref: 004039AA
                                                                          • SetHandleCount.KERNEL32 ref: 004039E1
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: FileHandleType$CountInfoStartup
                                                                          • String ID:
                                                                          • API String ID: 1710529072-0
                                                                          • Opcode ID: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                          • Instruction ID: 825ec877f99b7629084fcbf2355a8090dcaf6ef966e66130ad5ff06318bbd0a8
                                                                          • Opcode Fuzzy Hash: f9f6c698642d398b554f84be3c90f4064283888af6bbc673017cb63da6670b61
                                                                          • Instruction Fuzzy Hash: 125125B15046018FD7208F29C988B667F98BB02736F15873AE492FB3E1D7BC9A05C709
                                                                          APIs
                                                                            • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                          • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                          • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                          • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                          • String ID:
                                                                          • API String ID: 1894464702-0
                                                                          • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                          • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                          • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                          • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                          APIs
                                                                            • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                          • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                          • sqlite3_log.SQLITE3 ref: 609253E2
                                                                          • sqlite3_log.SQLITE3 ref: 60925406
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 3336957480-0
                                                                          • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                          • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                          • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                          • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                          APIs
                                                                          • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                          • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                          • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                          • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                          • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                          • String ID:
                                                                          • API String ID: 3091402450-0
                                                                          • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                          • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                          • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                          • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 251237202-0
                                                                          • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                          • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                          • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                          • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                          APIs
                                                                          • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                          • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                          • String ID:
                                                                          • API String ID: 4225432645-0
                                                                          • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                          • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                          • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                          • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 6090359D
                                                                          • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 609035E0
                                                                          • sqlite3_mutex_enter.SQLITE3(?,-00000200,?), ref: 609035F9
                                                                          • sqlite3_mutex_leave.SQLITE3(?,-00000200,?), ref: 60903614
                                                                          • sqlite3_free.SQLITE3(?,-00000200,?), ref: 6090361C
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 251237202-0
                                                                          • Opcode ID: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                          • Instruction ID: 98a7ce7f1ce2ff6a0e5ca4ca87ec4bf20a5c319c62b2fc6798152503390b0136
                                                                          • Opcode Fuzzy Hash: d176fa110bd2286076a254f1a84b89a7a2b75649dc4a807f2bdee778eef171d4
                                                                          • Instruction Fuzzy Hash: B211FE725186218BCB00EF7DC8C16197FE7FB66358F01491DE866D7362D73AD480AB42
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: ($string or blob too big$|
                                                                          • API String ID: 632333372-2398534278
                                                                          • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                          • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                          • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                          • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp
                                                                          • String ID: BINARY
                                                                          • API String ID: 912767213-907554435
                                                                          • Opcode ID: dd54eeba7b99beb4c129e1ce0ebb3c97c4d31291de79a9977aa1c0a9ff3222ee
                                                                          • Instruction ID: 142a1e9d4f1e8552d2c1f4074703eb5ae9f1e70d76b7ded3e689f9c37387bea1
                                                                          • Opcode Fuzzy Hash: dd54eeba7b99beb4c129e1ce0ebb3c97c4d31291de79a9977aa1c0a9ff3222ee
                                                                          • Instruction Fuzzy Hash: 11512AB8A142159FCF05CF68D580A9EBBFBBFA9314F208569D855AB318D335EC41CB90
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Protect$Query
                                                                          • String ID: @
                                                                          • API String ID: 3618607426-2766056989
                                                                          • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                          • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                          • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                          • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                          APIs
                                                                          • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                            • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                          • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                          • sqlite3_free.SQLITE3 ref: 609283B6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                          • String ID: d
                                                                          • API String ID: 211589378-2564639436
                                                                          • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                          • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                          • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                          • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                          • API String ID: 1646373207-2713375476
                                                                          • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                          • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                          • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                          • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(KERNEL32,004028E9), ref: 00402CCF
                                                                          • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00402CDF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: AddressHandleModuleProc
                                                                          • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                          • API String ID: 1646373207-3105848591
                                                                          • Opcode ID: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                          • Instruction ID: 2adebd830dd3b14d64e79f2d4f5eff8f6aaaa0a0dfbfbc424d90c26f206a1370
                                                                          • Opcode Fuzzy Hash: d54598a83eb0baa68b6903309d995a9c08ead6f1cb52c8cdd87b98e358e571e4
                                                                          • Instruction Fuzzy Hash: 8EC01220388602ABFE902BB14F0EB2A21082F00B82F14407E6589F02C0CEBCC008903D
                                                                          APIs
                                                                          • HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403BAA), ref: 004047AD
                                                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403BAA), ref: 004047D1
                                                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403BAA), ref: 004047EB
                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403BAA), ref: 004048AC
                                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403BAA), ref: 004048C3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual$FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 714016831-0
                                                                          • Opcode ID: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                          • Instruction ID: c10c021e120759eda6135e36457b27e0c23e5a43da849e4fe0a9db16ba58ca85
                                                                          • Opcode Fuzzy Hash: 40c1f36ec91e0fdcd34999e659656618bdbc287b61182469df63e7afeec0b04d
                                                                          • Instruction Fuzzy Hash: 453142B65007029BD3309F24DD40B26B7E0EB88B54F10CA3AEA95B76D1E778A8448F4C
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_free
                                                                          • String ID:
                                                                          • API String ID: 2313487548-0
                                                                          • Opcode ID: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                          • Instruction ID: 4e09bb13dd5a3c3c1d339de95b14bc5918580ae4e3dbdcf066e72e084d482625
                                                                          • Opcode Fuzzy Hash: 17c4197e66eccf8e4e539c70c01e6b2d08fb8491bcf73b2b2b780fd64eb57762
                                                                          • Instruction Fuzzy Hash: 15E14674928209EFDB04CF94D184B9EBBB2FF69304F208558D8956B259D774EC86CF81
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: sqlite_master$sqlite_sequence$sqlite_temp_master
                                                                          • API String ID: 0-1177837799
                                                                          • Opcode ID: b45b6970ebe54efa46efcb65f0e1138f7cff2b55d537d73117a3441f01693427
                                                                          • Instruction ID: e5240d50caebec33bd4ce83d4b9fb982fe545a794019e3d400788b6e3ec19482
                                                                          • Opcode Fuzzy Hash: b45b6970ebe54efa46efcb65f0e1138f7cff2b55d537d73117a3441f01693427
                                                                          • Instruction Fuzzy Hash: F7C13974B062089BDB05DF68D49179EBBF3AFA8308F14C42DE8899B345DB39D841CB41
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_leave$sqlite3_logsqlite3_mutex_enter
                                                                          • String ID:
                                                                          • API String ID: 4249760608-0
                                                                          • Opcode ID: 55775a197f9aa81981a6c1824e65e5643dd82e92c35c8cbf90f4756fe2761598
                                                                          • Instruction ID: 2374180173898b37ca3bb3ba1fa7e33799c7e45bceefb220d1965ad168ba1add
                                                                          • Opcode Fuzzy Hash: 55775a197f9aa81981a6c1824e65e5643dd82e92c35c8cbf90f4756fe2761598
                                                                          • Instruction Fuzzy Hash: 7F412970A083048BE701DF6AC495B8ABBF6FFA5308F04C46DE8598B355D779D849CB91
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                          • String ID:
                                                                          • API String ID: 1648232842-0
                                                                          • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                          • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                          • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                          • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                          APIs
                                                                          • sqlite3_step.SQLITE3 ref: 609614AB
                                                                          • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                            • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                          • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 3429445273-0
                                                                          • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                          • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                          • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                          • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_snprintf$sqlite3_stricmpsqlite3_value_text
                                                                          • String ID:
                                                                          • API String ID: 1035992805-0
                                                                          • Opcode ID: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                          • Instruction ID: 84d28b158f1a11e063f70be148de9c7b2eff514b3bcf7808f17aa895500be78a
                                                                          • Opcode Fuzzy Hash: 213593095aed0ecc64844f89ed1f3878beaaf7633e295caa013ed5846923251b
                                                                          • Instruction Fuzzy Hash: 8C3178B0A08324DFEB24CF28C481B4ABBF6FBA5318F04C499E4888B251C775D885DF42
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                          • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                          • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1477753154-0
                                                                          • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                          • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                          • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                          • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                          APIs
                                                                          • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                          • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 2673540737-0
                                                                          • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                          • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                          • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                          • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                          • String ID:
                                                                          • API String ID: 3526213481-0
                                                                          • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                          • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                          • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                          • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                          APIs
                                                                          • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                          • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                            • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                          • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                            • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                          • sqlite3_step.SQLITE3 ref: 60969197
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                          • String ID:
                                                                          • API String ID: 2877408194-0
                                                                          • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                          • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                          • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                          • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID:
                                                                          • API String ID: 1163609955-0
                                                                          • Opcode ID: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                          • Instruction ID: 8e0d1a1b7fe9adeaf330fda5a565ce202833de3a42fcd494fa905fee92021967
                                                                          • Opcode Fuzzy Hash: c446836a4840d302dbdc97fcf3f25a19881b43244be54ce00609cbc101420811
                                                                          • Instruction Fuzzy Hash: F6F0C8716282145FC3106F3994816697BE6DFA6758F0144A9F584CB314DB75CC82C742
                                                                          APIs
                                                                          • sqlite3_prepare_v2.SQLITE3 ref: 609615BA
                                                                          • sqlite3_step.SQLITE3 ref: 609615C9
                                                                          • sqlite3_column_int.SQLITE3 ref: 609615E1
                                                                            • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                          • sqlite3_finalize.SQLITE3 ref: 609615EE
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_column_intsqlite3_finalizesqlite3_prepare_v2sqlite3_stepsqlite3_value_int
                                                                          • String ID:
                                                                          • API String ID: 4265739436-0
                                                                          • Opcode ID: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                          • Instruction ID: 970f7a8085286b868af170b9ae73916577c28f03d50975cfa6e3c5bd991c66ad
                                                                          • Opcode Fuzzy Hash: edb1a347b7ee41d63e69a54b369763b34702b79c0c254a7699785c0090147395
                                                                          • Instruction Fuzzy Hash: BE01E4B0D083049BEB10EF69C58575EFBF9EFA5314F00896DE8A997380E775D9408B82
                                                                          APIs
                                                                          • sqlite3_initialize.SQLITE3 ref: 6092A638
                                                                            • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 6092A64F
                                                                          • strcmp.MSVCRT ref: 6092A66A
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6092A67D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_mutex_leavestrcmp
                                                                          • String ID:
                                                                          • API String ID: 1894734062-0
                                                                          • Opcode ID: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                          • Instruction ID: 0dacd04717b96a229033e5bf385d74358d6efc238696297f04088f4a0acd15ee
                                                                          • Opcode Fuzzy Hash: 1480f87154849f1cdf239baa72c9ff1b5e3c835899009c68b4affe8256d9fce5
                                                                          • Instruction Fuzzy Hash: EBF0B4726243044BC7006F799CC164A7FAEEEB1298B05802CEC548B319EB35DC0297A1
                                                                          APIs
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                          • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                          • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID:
                                                                          • API String ID: 1477753154-0
                                                                          • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                          • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                          • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                          • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: into$out of
                                                                          • API String ID: 632333372-1114767565
                                                                          • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                          • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                          • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                          • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                          APIs
                                                                            • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                          • sqlite3_free.SQLITE3 ref: 609193A3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_freesqlite3_value_text
                                                                          • String ID: (NULL)$NULL
                                                                          • API String ID: 2175239460-873412390
                                                                          • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                          • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                          • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                          • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: -- $d
                                                                          • API String ID: 632333372-777087308
                                                                          • Opcode ID: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                          • Instruction ID: d45f625f7ed72e8bd0cbe86fb5af212c953cff4c7e5ffbb26f6c4a79540968e1
                                                                          • Opcode Fuzzy Hash: 2197877c990d2cc598be623123ad695ba2ed3a88a0fc98749b4c643aad0a3996
                                                                          • Instruction Fuzzy Hash: FB51F674A043689BDB26CF28C980789BBFABF55304F1481D9E89CAB341C7759E85CF40
                                                                          APIs
                                                                          • GetCPInfo.KERNEL32(?,00000000), ref: 00405BB3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: Info
                                                                          • String ID: $
                                                                          • API String ID: 1807457897-3032137957
                                                                          • Opcode ID: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                          • Instruction ID: d944e0326c6926f7701021ceed1c995ec26cf4905102b61f872e2d2972a5c282
                                                                          • Opcode Fuzzy Hash: d62f257e1640a576e7c9989f97778ac9c58cbb7090796bbb9a31cafd0bd77437
                                                                          • Instruction Fuzzy Hash: 824168300186589AFB119724CD89BFB3FA9EB05B00F1400FAD586FB1D2C2394954DFAA
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: string or blob too big$|
                                                                          • API String ID: 632333372-330586046
                                                                          • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                          • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                          • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                          • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: d$|
                                                                          • API String ID: 632333372-415524447
                                                                          • Opcode ID: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                          • Instruction ID: dac03e427e93f591f5d1737f90c886445feec93ea56e6f6f32424ebbe55d5cce
                                                                          • Opcode Fuzzy Hash: b41da94c8e0873fb31ce46b9bf1ec845f2d469f37e36bd2a55cc8f8885e561b5
                                                                          • Instruction Fuzzy Hash: 50510970A04329DBDB26CF19C981799BBBABF55308F0481D9E958AB341D735EE81CF41
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_logsqlite3_value_text
                                                                          • String ID: string or blob too big
                                                                          • API String ID: 2320820228-2803948771
                                                                          • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                          • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                          • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                          • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                          APIs
                                                                          • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                          • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                          • String ID:
                                                                          • API String ID: 3265351223-3916222277
                                                                          • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                          • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                          • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                          • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_stricmp
                                                                          • String ID: log
                                                                          • API String ID: 912767213-2403297477
                                                                          • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                          • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                          • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                          • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_strnicmp
                                                                          • String ID: SQLITE_
                                                                          • API String ID: 1961171630-787686576
                                                                          • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                          • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                          • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                          • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                          APIs
                                                                          • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                          • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                          Strings
                                                                          • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                          • String ID: Invalid argument to rtreedepth()
                                                                          • API String ID: 1063208240-2843521569
                                                                          • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                          • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                          • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                          • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                          APIs
                                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                            • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                            • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                            • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                            • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                          • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                          • String ID: soft_heap_limit
                                                                          • API String ID: 1251656441-405162809
                                                                          • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                          • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                          • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                          • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                          APIs
                                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                          • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: sqlite3_log
                                                                          • String ID: NULL
                                                                          • API String ID: 632333372-324932091
                                                                          • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                          • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                          • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                          • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                          APIs
                                                                          • HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404608
                                                                          • HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040463C
                                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 00404656
                                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,004043A8,?,?,?,00000100,?,00000000), ref: 0040466D
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3208464236.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000003.00000002.3208464236.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_400000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: AllocHeap$FreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 3499195154-0
                                                                          • Opcode ID: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                          • Instruction ID: 2adbec297c34dc3d5fc58a6281b1bdaad71761cfda4098cfa9d0d345734132fa
                                                                          • Opcode Fuzzy Hash: 89e6c41d760d97d5fcc59a371cb6f4e80e60aa6d464a71aa99f6417c7b537c35
                                                                          • Instruction Fuzzy Hash: 2D114C70250701DFD7308F28EE85E127BB5F7867207108B3DEAA1E25E0D7359845CB08
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterLeavefree
                                                                          • String ID:
                                                                          • API String ID: 4020351045-0
                                                                          • Opcode ID: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                          • Instruction ID: 980a39aab3b848caec2c27f45d5308e77b440585e3cd6ccd446b63c63d51e1b6
                                                                          • Opcode Fuzzy Hash: 13d179c58506242de641c1793229aaf6d73ae3266bd26a3d41fb94aeb54caf06
                                                                          • Instruction Fuzzy Hash: 2D018070B293058BDB10DF28C985919BBFBABB6308B20855CE499D7355D770DC80EB62
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                          • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                          • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                          • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                          Memory Dump Source
                                                                          • Source File: 00000003.00000002.3210978252.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                          • Associated: 00000003.00000002.3210960492.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211097181.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211115483.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211154174.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211171743.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                          • Associated: 00000003.00000002.3211220491.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_3_2_60900000_mediacodecpack3.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                          • String ID:
                                                                          • API String ID: 682475483-0
                                                                          • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                          • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                          • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                          • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2